Information SecurityPrinciples and Practices, 2nd Edit.docx

Information Security
Principles and Practices, 2nd Edition
Dr. Cindi Nadelman
New England College
Chapter 2: Information Security Principles of
Success
*
© Pearson Education 2014, Information Security: Principles and
Practices, 2nd Edition
*
ObjectivesBuild an awareness of 12 basic principles of
information securityDistinguish among the three main security
goalsLearn how to design and apply the principle of “Defense in
Depth”Comprehend human vulnerabilities are security systems
*

*
Objectives (cont.)Explain the difference between functional and
assurance requirementsComprehend the fallacy of security
through obscurityComprehend the importance of risk analysis
and risk management tools and techniquesDetermine which side
of open disclosure debate you would take
*
*
IntroductionBest security specialists combine practical
knowledge and technical skills with understanding of human
natureNo two systems or situations are identical, and there are
no cookbooks to consult on how to solve security problems
*
*Given enough time, tools, skills, and inclination, a hacker can
break through any security measureSecurity testing can buy

additional time so the attackers are caught in the act
Principle 1:There Is No Such Thing as Absolute Security
*
*All information security measures try to address at least one of
the three goals:ConfidentialityIntegrityAvailability The three
security goals form the CIA triad
Principle 2: The Three Security Goals Are Confidentiality,
Integrity, and Availability
*
*Protect the confidentiality of dataConfidentiality models are
primarily intended to ensure that no unauthorized access to
information is permitted and that accidental disclosure of
sensitive information is not possible Preserve the integrity of
dataIntegrity models keep data pure and trustworthy by
protecting system data from intentional and accidental
changesPromote the availability of data for authorized
useAvailability models keep data and resources available for
authorized use during denial-of-service attacks, natural

disasters, and equipment failures
Principle 2: The Three Security Goals Are Confidentiality,
Integrity, and Availability (cont.)
*
*Defense in depthInvolves implemented security in overlapping
layers that provide the three elements needed to secure assets:
prevention, detection, and responseThe weaknesses of one
security layer are offset by the strengths of two or more layers
Principles 3: Defense in Depth as Strategy
*
*Takes little to convince someone to give up their credentials in
exchange for trivial or worthless goodsMany people are easily
convinced to double-click the attachment or links inside emails
Subject: Here you have, ;o)
Message body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs
Principle 4: When Left on Their Own, People Tend to Make the

Worst Security Decisions
*
*Functional requirementsDescribe what a system should
doAssurance requirementsDescribe how functional requirements
should be implemented and tested
Does the system do the right things in the right
way?Verification: The process of confirming that one or more
predetermined requirements or specifications are metValidation:
A determination of the correctness or quality of the mechanisms
used in meeting the needs
Principle 5: Computer Security Depends on Two Types of
Requirements: Functional and Assurance
*
*Many people believe that if hackers don’t know how software
is secured, security is betterAlthough this seems logical, it’s
actually untrueObscuring security leads to a false sense of
security, which is often more dangerous than not addressing

security at all
Principle 6: Security Through Obscurity Is Not an Answer
*
*Security is not concerned with eliminating all threats within a
system or facility but with eliminating known threats and
minimizing losses if an attacker succeeds in exploiting a
vulnerabilitySpending more on security than the cost of an asset
is a waste of resourcesRisk assessment and risk analysis are
used to place an economic value on assets to best determine
appropriate countermeasures that protect them from losses
Principle 7: Security = Risk Management
*
Principle 7: Security = Risk Management cont.
Two factors to determine riskWhat is the consequence of a
loss?What is the likelihood the loss will
occur?Consequences/likelihood matrix
*LikelihoodConsequences1. Insignificant2. Minor3. Moderate4.
Major5. CatastrophicA (almost

certain)HighHighExtremeExtremeExtremeB
(likely)ModerateHighHighExtremeExtremeC
(moderate)LowModerateHighExtremeExtremeD
(unlikely)LowLowModerateHigh ExtremeE
(rare)LowLowModerateHighHigh
*VulnerabilityA known problem within a system or
programExploitA program or a “cookbook” on how to take
advantage of a specific vulnerabilityAttackerThe link between a
vulnerability and an exploit
Principle 7: Security = Risk Management
cont.
*
*A security mechanism serves a purpose by preventing a
compromise, detecting that a compromise or compromise
attempt is underway, or responding to a compromise while it is
happening or after it has been discovered
Principle 8: The Three Types of Security Controls Are
Preventative, Detective, and Responsive

*
*The more complex a system gets, the harder it is to secure
Principle 9: Complexity Is the Enemy of Security
*
*Information security managers must justify all investments in
security using techniques of the tradeWhen spending resources
can be justified with good, solid business rationale, security
requests are rarely denied
Principle 10: Fear, Uncertainty, and Doubt (FUD) Do Not Work
in Selling Security
*

*People controlsDual control and separation of dutiesProcess
controls Different people can perform the same operation the
same way every timeTechnology alone without people and
process controls can failPeople, process, and technology
controls are essential elements of security practices including
operations security, applications development security, physical
security, and cryptography
Principle 11: People, Process, and Technology Are All Needed
to Adequately Secure a System or Facility
*
*Keeping a given vulnerability secret from users and from the
software developer can only lead to a false sense of securityThe
need to know trumps the need to keep secrets to give users the
right to protect themselves
Principle 12: Open Disclosure of Vulnerabilities Is Good for
Security!
*
Users have a right to know about defects in the products they
purchase, just as they have a right to know about automobile
recalls because of defects.

*
SummaryComputer security specialists must not only know the
technical side of their jobs but also must understand the
principles behind information securityThese principles are
mixed and matched to describe why certain security functions
and operations exist in the real world of IT
*
*
*
*
*
*
*
*
*
*
*
*

*
*
*
*
*
*
*
Users have a right to know about defects in the products they
purchase, just as they have a right to know about automobile
recalls because of defects.
*
Running head: ARTICLE REVIEW 1
ARTICLE REVIEW 4
Article Summary Assignment #1
Prepared by: Abhignya Kannaiahgari
Date: May 16th, 2019
ECS 6200 – Managing Information Security
Article Title: Why Reward for Loyal Spenders Are ‘a Honey Pot
for Hackers’
Reference
:https://www.nytimes.com/2019/05/11/business/rewards-loyalty-
program-fraud-
security.html?rref=collection%2Ftimestopic%2FComputer%20S
ecurity%20(Cybersecurity)&action=click&contentCollection=ti
mestopics&region=stream&module=stream_unit&version=latest
&contentPlacement=4&pgtype=collection
Loyalty programs are commonly known and utilized by the

people, but technology is modifying how it is utilized. Initially,
loyalty started with coupons, but with time and technological
integration, it has shifted to apps, and now websites (Hsu,
2019). But unlike many people realize, current loyalty programs
are after something more valuable today compared to currency,
and that is personal data. Personal data holds vital information
about the holder, and this makes them targets for hackers. This
data if stolen can be used to impersonate consumers breaching
the contracts of their loyalty programs (Hsu, 2019). Other
outcomes also include the depletion of accounts of their
financial resources into the black market. This raises the
question of whether loyalty programs are potential risks for
consumers.
An example is that of 2018 which is deemed as the largest
data breach in I.T. history when Marriot’ Starwood unit was a
victim to an attack whereby personal data was stolen. Mainly
passport numbers, they were stored in a DD (Dunkins’ Donuts’)
program that was not protected (Hsu, 2019). Hackers target
these loyalty programs as they offer a lot of data with the least
resistance; this is as per institutional experts. Users of these
programs easily sign up and use weak passwords and in most
cases neglect consumer data. Nonetheless, the overall reality of
the matter is that programs, hackers and technology, in general,
have grown at an almost exponential rate but cybersecurity is
lagging (Hsu, 2019).
The urgency of the matter is appreciated when people
understand that company loyalty programs are tailored to
faithful clients. With this in mind, they will willingly offer
personal information which will then be used to personalize
their experience. But with increasingly more information being
sent to the companies offering the loyalty programs less concern
is given on the data’s security (Hsu, 2019). But some companies
have learned from experience for example banks requiring
firmer authentications such as the two-factor authentication
system or various forms of biometric identification (Hsu, 2019).

The overall understanding that should be appreciated is that
loyalty programs are the new target for hackers.

Information SecurityPrinciples and Practices, 2nd Edit.docx

Recommended

Recommended

More Related Content

Similar to Information SecurityPrinciples and Practices, 2nd Edit.docx

Similar to Information SecurityPrinciples and Practices, 2nd Edit.docx (20)

More from annettsparrow

More from annettsparrow (20)

Recently uploaded

Recently uploaded (20)

Information SecurityPrinciples and Practices, 2nd Edit.docx