Information Security Principles

  • Does the system do the right thing?
  • Does the system do the right thing in the right way?

Four common classes of safe ratings

B-Rate: No actual testing is performed to gain this rating

C-Rate: 1-inch-thick door and a lock. No tests are conducted to provide this rating, either.

UL TL-15: The label means that the safe has been tested for 15 minutes using “common hand tools, drills, punches hammers, and pressure applying devices.

UL TL-30: Testers get 30 minutes and a few more tools to help them gain access.

  • Protect the confidentiality of data
  • Preserve the integrity of data
  • Promote the availability of data for authorized use
CIA Triad

Integrity models

  • Prevent unauthorized users from making modifications to data or programs
  • Prevent authorized users from making improper or unauthorized modifications
  • Maintain internal and external consistency of data and programs

Availability Models

  • Denial of Service
  • Loss of information
  • Equipment failures

Security = Risk Management

Risk analysis and risk management are central themes for securing information systems. When risks are well understood, three outcomes are possible:

  • The risks are mitigated (countered).
  • Insurance is acquired against the losses that would occur if a system were compromised.
  • The risks are accepted and the consequences are managed.

Degree of risk:

  1. What is the consequence of loss?
  2. How likely loss will occur?
    • Extreme risk: immediate action
    • High risk: Senior management attention
    • Moderate: Management responsibility
    • Low risk: routine procedures
  • Vulnerability: a known problem within a system or program
  • Exploit: a program or a how-to guide taking advantage of vulnerabilities
  • Attacker: Whoever performs exploit action.

Security Controls:

  • Preventative: access controls
  • Detective: checking unusual activity
  • Responsive: policy for detections

Defense in Depth

  • People: separation of duties
  • Process control: procedures documentation
  • Technology: Technology can fail