Least privilege- Should only have the rights necessary to complete yourLeast privilege- Should only have the rights necessary to complete your task.
task.
Economy of mechanism- Should be sufficiently small and as simple asEconomy of mechanism- Should be sufficiently small and as simple as to be verified and implemented
to be verified and implemented – – e.g., security kernel. Complex e.g., security kernel. Complex mechanisms should be correctly Understood, Modeled, Configured, mechanisms should be correctly Understood, Modeled, Configured, Implemented and Used
Implemented and Used
Complete mediation- Every access to every object must be checkedComplete mediation- Every access to every object must be checked
Open design- Let the design be open.Open design- Let the design be open. Security through obscurity Security through obscurity is a is a bad idea
bad idea
Should be open for scrutiny by the community- Better to have aShould be open for scrutiny by the community- Better to have a friend/colleague find an error than a foe
friend/colleague find an error than a foe
Separation of privilege- Access to objects should depend on more thanSeparation of privilege- Access to objects should depend on more than one condition being s
one condition being satisfiedatisfied
Least common mechanism- Minimize the amount of mechanismLeast common mechanism- Minimize the amount of mechanism common to more than one user and depended on by all users common to more than one user and depended on by all users
Psychological acceptability- User interface must be easy to use, so thatPsychological acceptability- User interface must be easy to use, so that users routinely and automatically apply the mechanisms correctly.
users routinely and automatically apply the mechanisms correctly.
Otherwise, they will be
Otherwise, they will be bypassedbypassed
Fail-safe defaults. Should be lack of accessFail-safe defaults. Should be lack of access
TOPIC 4:
TOPIC 4: Security Issues in Hardware Security Issues in Hardware
Understand and accept that hardware-based security is extremely difficult Understand and accept that hardware-based security is extremely difficult – – Just because it's a hardware product does not mean it's secure.
Just because it's a hardware product does not mean it's secure.
Threat Vectors Threat Vectors
Interception (or Eavesdropping)
Interception (or Eavesdropping) – – Gain access to protected information Gain access to protected information without opening the product.
without opening the product.
Interruption (or Fault Generation)
Interruption (or Fault Generation) – – Preventing the product from Preventing the product from functioning normally
functioning normally Modification
Modification – – Tampering with the product, typically invasive Tampering with the product, typically invasive Fabrication/Man-in-the-Middle
Fabrication/Man-in-the-Middle – – Creating counterfeit assets of a product Creating counterfeit assets of a product
Attack Goal Attack Goalss
Competition (or Cloning)
Competition (or Cloning) – – Specific IP Specific IP theft to theft to gain marketplace advangain marketplace advantagetage Theft-of-Service
Theft-of-Service – – Obtaining service for free that normally requires money Obtaining service for free that normally requires money User Authentication (or Spoofing)
User Authentication (or Spoofing) – – Forging a user's identity to gain access Forging a user's identity to gain access to a system
to a system
Privilege Escalation (or Feature
Privilege Escalation (or Feature Unlocking)Unlocking) – – Gaining increased command Gaining increased command of a system or unlocking hidden/undocumented features
of a system or unlocking hidden/undocumented features Attacks Aga
Attacks Against inst Access control Access control
Biometrics Biometrics Authentication
Authentication tokenstokens
Network appliances Network appliances
Cryptographic accelerators Cryptographic accelerators
Wireless access points Wireless access points Network
Network adapters/adapters/NICsNICs PDAs/Mobile devices PDAs/Mobile devices
Some of the other topics in this unit likeSome of the other topics in this unit like IntrusIntrusion Dion Detetectectionion,, A Accccesesss Control
Control,, BBaackckup aup and Snd Sttoraoraggee have been covered in previous have been covered in previous sections, please refer to those sections for
sections, please refer to those sections for these topicsthese topics
UNIT
UNIT – – 4 4
TOPIC 1: Security Policy TOPIC 1: Security Policy
Security policy is a definition of what
Security policy is a definition of what it means toit means to be securebe secure for a for a systemsystem,, organization or other entity.
organization or other entity.
For an organization, it addresses the constraints on behavior of its For an organization, it addresses the constraints on behavior of its
members as well as constraints imposed on adversaries by mechanisms members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls.
such as doors, locks, keys and walls.
For systems, the security policy addresses constraints on functions and For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and
flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
adversaries including programs and access to data by people.
If it is important to be secure, then it is important to be sure all of the If it is important to be secure, then it is important to be sure all of the security policy is enforced by
security policy is enforced by mechanisms that are strong enough. Theremechanisms that are strong enough. There are many organized methodologies and risk assessment strategies to are many organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are assure completeness of security policies and assure that they are completely enforced
completely enforced. In . In complex systems, such ascomplex systems, such as information systemsinformation systems,, policies can be
policies can be decompodecomposed into sub-policies to sed into sub-policies to facilitate the allocation offacilitate the allocation of security mechanisms to enforce sub-policies.
security mechanisms to enforce sub-policies.
E
E mmaail Pil P ololicyicy
Here are five reasons why your company needs an email policy:
Here are five reasons why your company needs an email policy:
1. Protect against email threats
1. Protect against email threats: An email policy helps prevent email: An email policy helps prevent email
threats. A well laid out email policy makes your staff aware of the corporate threats. A well laid out email policy makes your staff aware of the corporate rules and guidelines, which if
rules and guidelines, which if followed will protect your company againstfollowed will protect your company against (spear) phishing attacks and confidentiality leaks, aid compliancy and (spear) phishing attacks and confidentiality leaks, aid compliancy and minimize legal liability.
minimize legal liability.
2. Avoid misconduct
2. Avoid misconduct: An email policy can help stop any misconduct at an: An email policy can help stop any misconduct at an early stage, for instance by asking employees to come forward as soon as early stage, for instance by asking employees to come forward as soon as
help avoid legal liability. For instance in the case of Morgan Stanley, the help avoid legal liability. For instance in the case of Morgan Stanley, the court ruled that a single e-mail communication (a racist joke, in this case) court ruled that a single e-mail communication (a racist joke, in this case) cannot create a hostile work environment and dismissed the case against cannot create a hostile work environment and dismissed the case against them.
them.
3. Reduce liability
3. Reduce liability: If an incident does occur, an email policy can minimize: If an incident does occur, an email policy can minimize the company’s liability for
the company’s liability for the employee’s actions. Previous cases havethe employee’s actions. Previous cases have proven that the existence of an email policy can prove that the company proven that the existence of an email policy can prove that the company has taken steps to prevent inappropriate use of the email system and has taken steps to prevent inappropriate use of the email system and therefore can be freed of liability. WorldCom Corp. for instance, faced a therefore can be freed of liability. WorldCom Corp. for instance, faced a court case from two former employees for allowing four racially offensive court case from two former employees for allowing four racially offensive jokes on its em
jokes on its email systemail system. WorldCom s. WorldCom successfully deuccessfully defended themfended themselvesselves because they had an email policy that spelled out inappropriate content because they had an email policy that spelled out inappropriate content and because they took prompt remedial action against the co-worker who and because they took prompt remedial action against the co-worker who sent the racially harassing e-mails.
sent the racially harassing e-mails.
4. Educate Email Etiquette
4. Educate Email Etiquette: You can use your email policy to educate: You can use your email policy to educate your employees in email etiquette to ensure that your company conveys a your employees in email etiquette to ensure that your company conveys a professional image in its
professional image in its email communications.email communications.
5. Warn employees of email monitoring
5. Warn employees of email monitoring: If you are going to use email: If you are going to use email filtering software to check the contents of
filtering software to check the contents of your employees’ emails, it isyour employees’ emails, it is essential to have an email policy that warns your employees that their essential to have an email policy that warns your employees that their emails might be monitored. If you do not have such as policy you could be emails might be monitored. If you do not have such as policy you could be liable for privacy infringement. More about the legality
liable for privacy infringement. More about the legality of email monitoring.of email monitoring.
WWW S
WWW Secuecurity Polrity Policyicy
By creating a security policy for your business you can protect your business By creating a security policy for your business you can protect your business from most of the common forms of internet threat.
from most of the common forms of internet threat.
The internet can be a great force for good, but unfortunately it can also be the The internet can be a great force for good, but unfortunately it can also be the conduit for everything that is bad in the world. While you may be wise to spam conduit for everything that is bad in the world. While you may be wise to spam emails, phishing emails and files that aren't quite as innocent as they seem, your emails, phishing emails and files that aren't quite as innocent as they seem, your staff may not be quite so security conscious in their use of the internet.
staff may not be quite so security conscious in their use of the internet.
employers as these sites can be a huge distraction from day to day work. This is employers as these sites can be a huge distraction from day to day work. This is where a security policy comes in to play.
where a security policy comes in to play.
When you take on new staff in your business the last thing on your mind is When you take on new staff in your business the last thing on your mind is probably, "how do I make sure that my staff are internet safe"? However by probably, "how do I make sure that my staff are internet safe"? However by creating a security policy you will have laid out clear lines of responsibilities that creating a security policy you will have laid out clear lines of responsibilities that will ensure you and your team protect the reputation of your business, as well as will ensure you and your team protect the reputation of your business, as well as preventing your business from potential internet attacks, and from claims by an preventing your business from potential internet attacks, and from claims by an employee that "they didn't know".
employee that "they didn't know".
The policy basics The policy basics
The objective of an internet security policy is t The objective of an internet security policy is t
Set the boundaries of employee use.Set the boundaries of employee use.
Describe what is deemed acceptable behavior.Describe what is deemed acceptable behavior.
Explain processes and procedures employees should adopt to protect andExplain processes and procedures employees should adopt to protect and manage your systems.
manage your systems.
Assign roles and responsibilit Assign roles and responsibilities for staff ies for staff so everyone knows their respectiso everyone knows their respectiveve tasks.
tasks.
Detail the outcomes if the policy is ignored or deliberately breached.Detail the outcomes if the policy is ignored or deliberately breached.
Pol
Policy Ricy Reevieview Procew Processss
Many problems with procedures that crop up
Many problems with procedures that crop up afterafter they’ve been implemented arethey’ve been implemented are traceable to inadequate or no review.
traceable to inadequate or no review.
Let’s say a procedure as written
Let’s say a procedure as written describes an ideal process, performed underdescribes an ideal process, performed under ideal conditions (i.e.,
real-ideal conditions (i.e., real-world conditions aren’t taken into account). If this isn’tworld conditions aren’t taken into account). If this isn’t caught in the policy review process, the end product will meet
caught in the policy review process, the end product will meet requirements
requirements only only through luck. Luck being notoriously unreliable, through luck. Luck being notoriously unreliable,
An Effective Policy Review Process An Effective Policy Review Process
Why do you review
Why do you review anything anything ? To ensure the accuracy and completeness of? To ensure the accuracy and completeness of whatever it is you’re reviewing and to make sure everyone has
whatever it is you’re reviewing and to make sure everyone has the same the same understanding of the policy, process, or situation. In short, to ensure
understanding of the policy, process, or situation. In short, to ensure effectiveeffective communication
communication, which will lead you to the desired outcome., which will lead you to the desired outcome.
Effective communication is a big reason why the international quality Effective communication is a big reason why the international quality
standard, ISO 9001, mandates design and development reviews (clause 7.3.4).
standard, ISO 9001, mandates design and development reviews (clause 7.3.4).
If you
If you don’t don’t review, you risk missing any number of product requirements, both review, you risk missing any number of product requirements, both stated and unstated, and you risk losing customers.
stated and unstated, and you risk losing customers.
Need another reason to review policies and procedures? No one is perfect and Need another reason to review policies and procedures? No one is perfect and no process is perfect. No one will write the perfect procedure the first time, every no process is perfect. No one will write the perfect procedure the first time, every time.
time.
Furthermore, no one
Furthermore, no one —— NO ONE! NO ONE! —— can multitask. Your technical writer wears can multitask. Your technical writer wears several
several other t other t hats, right? That person is bound to temporarily lose focus on thehats, right? That person is bound to temporarily lose focus on the policy or proc
policy or procedure they’re writing when other projects and other managers areedure they’re writing when other projects and other managers are continually demanding that
continually demanding that theirtheir stuff is mission critical, “…so drop everythingstuff is mission critical, “…so drop everything and work on
and work on thisthis.” (Now, where.” (Now, where waswas I?) I?)
We all agree, then, that policies and procedures have to be reviewed, right? So, We all agree, then, that policies and procedures have to be reviewed, right? So, how’s it done? Well, one method that works is based on speech
how’s it done? Well, one method that works is based on speech evaluations as evaluations as done by Toastmasters. For a Toastmaster, learning how to
done by Toastmasters. For a Toastmaster, learning how to evaluateevaluate a speech a speech – – or a written document
or a written document – – is as critical as learning how to is as critical as learning how to givegive a speech a speech or
or writewrite one. one.
In your policy review process, whether its written or oral, be sure to lead with In your policy review process, whether its written or oral, be sure to lead with those aspects of the procedure where objectives were met
those aspects of the procedure where objectives were met or exceeded or exceeded . If critical. If critical procedure review objectives were not, consider possible explanations for that procedure review objectives were not, consider possible explanations for that
(the writer’s level o
(the writer’s level of experience, competing projects, the amount of informationf experience, competing projects, the amount of information provided them, clarity of the objectives, etc.).
provided them, clarity of the objectives, etc.).
S
Samample ple SSecuecurriity Pty Policolicyy
TOPIC 2: LAWS TOPIC 2: LAWS
CCopopyriyrigght ht LawLaw
Copyright is a bundle of rights given by the law to the creators of literary, Copyright is a bundle of rights given by the law to the creators of literary, dramatic, musical and artistic works and the producers of cinematograph dramatic, musical and artistic works and the producers of cinematograph films and sound recordings
films and sound recordings
The rights provided under Copyright law include the rights of reproduction The rights provided under Copyright law include the rights of reproduction of the work, communication of the work to the public, adaptation of the work of the work, communication of the work to the public, adaptation of the work and translation of the work The scope and duration of protection provided and translation of the work The scope and duration of protection provided under copyright law varies with the nature of the protected work.
under copyright law varies with the nature of the protected work.
The Indian copyright law protects literary works, dramatic works, musical The Indian copyright law protects literary works, dramatic works, musical works, artistic works, cinematograph films and
works, artistic works, cinematograph films and sound recordings.sound recordings.
Informa
Information Technoltion Technologogy y AAct, 2000ct, 2000
The Information Technology Act,
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is2000 (also known as ITA-2000, or the IT Act) is an Act of the
an Act of the Indian ParliamentIndian Parliament (No 21 of 2000) notified on 17 October 2000. It is (No 21 of 2000) notified on 17 October 2000. It is the primary law in
the primary law in IndiaIndia dealing with dealing with cybercrimecybercrime and and electronic commerceelectronic commerce. It is. It is based on the
based on the United Nations Model Law on Electronic Commerce 1996United Nations Model Law on Electronic Commerce 1996
(UNCITRAL Model) recommended by the general assembly of united nations by (UNCITRAL Model) recommended by the general assembly of united nations by
(UNCITRAL Model) recommended by the general assembly of united nations by (UNCITRAL Model) recommended by the general assembly of united nations by