Information Security Principles And Practice Solution Manual Download UPDATED

Information Security Principles And Practice Solution Manual Download

Information can exist private or public, personal or generic, valuable or commonplace, online or offline. Like whatever other asset, information technology has to exist protected. This is more than important online where hackers can steal or misuse information remotely fifty-fifty without whatever physical admission to where that information resides.

In line with evolving technology, data security practices have evolved from loftier-level principles into more detailed gear up of practices and checklists. In practice, there'south no unmarried list of principles that everyone agrees on. Many lists exist, each one customized for its context.

Discussion

• Which are the three principal information security principles?

  

  The CIA information security triad. Source: Vonnegut 2016.

  The three main security principles include:

  • Confidentiality: Protect against unauthorized access to information.
  • Integrity: Protect against unauthorized modification of information. Fifty-fifty if an antagonist tin can't read your information, they can either corrupt it or selectively change information technology to crusade further impairment after on.
  • Availability: Protect against denial of access to information. Even if an adversary tin't admission or modify your information, they can prevent y'all from accessing it or using information technology. For example, they tin destroy or congest communication lines, or bring downward the data server.

  These principles have besides been called security goals, objectives, properties or pillars. More commonly, they are known as the CIA Triad.

  Security practitioners consider these principles important but vague. This is because they're almost the "what" but not the "how". They have to be translated into clear practices based on context. They have been practical to IT infrastructure, cloud systems, IoT systems, web/mobile apps, databases, and then on. Bodily practices may differ but can exist related to the CIA triad.

• What are some variations of CIA?

  

  McCumber Cube is designed to accost cybersecurity. Source: Morrow 2012.

  It's been said that the CIA Triad is focused on engineering and ignores the human element. The Parkerian Hexad therefore addresses the human element with 3 more than principles:

  • Possession/Control: Information technology's possible to possess or control information without breaching confidentiality.
  • Authenticity: This is about proof of identity. Nosotros should have an assurance that the information is from a trusted source.
  • Utility: Information may be available but is it in a usable state or form?

  Another variation is the McCumber Cube. Information technology includes the CIA Triad only as well adds iii states of information (transmission, storage, processing) and three security measures (grooming, policy, technology).

  Other published security principles take come from OECD, NIST, ISO, COBIT, Mozilla, and OWASP.

• What are some means of achieving the CIA security goals?

  

  Ontology of data security. Source: Cherdantseva and Hilton 2012, slide 6.

  Dominance, authentication and the use of cryptography are some techniques to reach the CIA security goals. These have been sometimes chosen Security Mechanisms. These mechanisms are designed to protect assets and mitigate risks. However, they may have vulnerabilities that threats will attempt to exploit.

  Confidentiality is often achieved via encryption. Hackers in possession of encrypted data can't read it without the requisite decryption keys. File permissions and access control lists too ensure confidentiality. For integrity, a hash of the original data can be used but this hash must itself be provided securely. Alternatively, digital certificates that use public-primal cryptography can be used. For availability, there should exist redundancy built into the organization. Backups should exist in place to restore services quickly. Systems should have contempo security updates. Provide sufficient bandwidth to avoid bottlenecks.

  People must be trained to use strong passwords, recognize possible threats and get familiar with social engineering methods.

• What are some common approaches to enhancing information security?

  Complex systems are hard to secure. Continue the design simple. This also minimizes the set on surface. For example, a search box is vulnerable to SQL injections just a amend search UI will remove this chance. Use secure defaults such equally preventing trivial passwords. Give users or programs the least privilege to perform their function. When failures occur, ensure they're handled with correct privileges.

  There's amend defence in depth. This means that multiple levels of command are better than a single 1. Security at application layer solitary is non enough. Secure server admission, network communications, wireless access, user interface, and so on. Don't trust third-party services. Have a clear separation of duties to forestall fraud. For case, admin users shouldn't be allowed to login to the frontend with same privileges and make purchases on behalf of others.

  Avert security by obscurity. This means that we shouldn't rely on hidden secrets. For example, even if source lawmaking is leaked or encryption algorithms are known, the system should remain secure.

  Adopt decentralized systems with replication to centralized ones.

• Could you mention some threats or attacks by which hackers can compromise the security principles?

  Sniffing data communications, particularly when it'due south non encrypted, is an example of breach of confidentiality. ARP spoofing is an example of sending false ARP messages so that traffic is directed to the wrong estimator. Phishing is a breach of integrity since the hacker's website tricks a visitor into thinking information technology's the genuine website.

  Repeatedly sending a asking to a service will overload the server. Server volition become progressively slower to response to requests and even crash. This Denial-of-Service (DoS) attack make the service unavailable.

  For databases, SQL injection is a big threat assuasive hackers access to sensitive data or extra privileges. Buffer overflow vulnerabilities can be exploited to modify data. DoS attacks are possible with databases and their servers.

  In any case, record all transactions and events. This leads to better detection of intrusions and futurity preventions. Have a good recovery plan. Perform frequent security tests to discover vulnerabilities.

Milestones

Information Security or InfoSec doesn't be in the 1950s or even in the 1960s. Security is all about physically securing access to expensive machines. Reliability of computers is the main business organisation. As hardware and software becomes standardized and cheaper, it's only in the 1970s that in that location's a shift from figurer security towards information security.

Computer network vulnerabilities identified in the Ware Written report. Source: Pot 2016.

In the early years of the ARPANET, the Usa Department of Defense commissions a written report that's published by the Rand Corporation equally Security Controls for Figurer Systems. It identifies many potential threats and possible security measures. The task force was chaired by Willis H. Ware. In time, this written report becomes influential and is known as the Ware Report.

James P. Anderson authors Computer Security Engineering science Planning Study for the USAF. This is published in 2 volumes. In time, this comes to be called the Anderson Study.

Multics was a timesharing operating system that started in 1965 as a MIT research project. In the summer of 1973, researchers at MIT wait at the security aspects of Multics running on a Honeywell 6180 computer system. They come with broad security design principles. They categorize these into 3 categories with due credit to J. Anderson: unauthorized release, unauthorized modification, unauthorized denial.

Prior to the 1980s, security was influenced by the defense sector. In the 1980s focus shifts from Confidentiality to commercial concerns such as costs and business risks. Among these is the idea of Integrity since it'south important for banks and businesses that information is not modified past unauthorized entities.

Morris Worm becomes the first DoS assail on the Cyberspace. Thus, Availability is recognized as an essential aspect of information security.

In the JSC-NASA Data Security Plan document we find the use of the term CIA Triad. However, the term could have been coined equally early as 1986.

To complement InfoSec, Data Assurance (IA) emerges as a discipline. This is more about securing data systems rather than data lonely. With the growth of networks and Net, Not-Repudiation and Authentication become important concerns. Non-repudiation ways that parties tin't deny having sent or received a piece of information.

Security objectives have dependencies. Source: Stoneburner 2001, fig. ii-ane.

NIST publishes Underlying Technical Models for Information Engineering Security. It identifies five security objectives: Availability, Integrity, Confidentiality, Accountability and Assurance. Information technology points out that these are interdependent. For example, if confidentiality is compromised (eg. superuser password), then integrity is likely to be lost as well.

Donn B. Parker expands on the CIA Triad by calculation three more items: authenticity, possession or control, and utility. Parker besides states that it'south best to sympathise these six principles in pairs: confidentiality and possession, integrity and authenticity, and availability and utility. In time, these six principles have come to be called Parkerian Hexad.

References

1. Avner, Gabriel. 2019. "Awarding Security All-time Practices Top x Checklist." Blog, WhiteSource, August 1. Accessed 2020-07-21.
2. Cherdantseva, Y. and J. Hilton. 2012. "The Evolution of Information Security Goals from the 1960s to today." February. Accessed 2019-05-24.
3. Chia, Terry. 2012. "Confidentiality, Integrity, Availability: The three components of the CIA Triad." It Security Community Blog, StackOverflow, August 20. Accessed 2019-05-24.
4. Deniz, Yeshim. 2019. "Three Pillars of CIA Triad IoT Security." Web log, PHP Journal, March 12. Accessed 2019-05-26.
5. Estrin, Eyal. 2019. "Fundamental Cloud Security Concepts Office one – CIA." GÉANT Cloud Services. Accessed 2019-05-26.
6. Golovatenko, Illya. 2018. "The Three Dimensions of the Cybersecurity Cube." Swan Software Solutions, December thirteen. Accessed 2019-05-24.
7. MIT. 2019. "Multics." MIT. Accessed 2019-05-24.
8. Morrow, Stephanie. 2012. "About McCumber Cube." InfoSec Blog, June 15. Accessed 2019-05-26.
9. Mozilla Developer. 2019. "Confidentiality, Integrity, and Availability." MDN Spider web Docs, March 23. Accessed 2019-05-24.
10. Mozilla InfoSec. 2019. "Security Principles." Mozilla Foundation. Accessed 2019-05-24.
11. OWASP. 2015. "Category:Principle." OWASP, July 29. Accessed 2019-05-26.
12. OWASP. 2016. "Security by Blueprint Principles." OWASP, Baronial 03. Accessed 2019-05-24.
13. Pender-Bey, Georgie. 2012. "The Parkerian Hexad." In fulfillment of the Master of Science in Information Security Programme, Lewis University. Accessed 2019-05-24.
14. Pot, Justin. 2016. "This 1970 memo outlined every cybersecurity threat nosotros face today." Digital Trends, April 18. Accessed 2019-05-26.
15. Saltzer, Jerome H. 1974. "Protection and the Control of Information Sharing in Multics." Communications of the ACM, vol. 17, no. seven, pp. 388-402, July. Accessed 2019-05-24.
16. Saltzer, Jerome H. and Michael D. Schroeder. 1975. "The Protection of Data in Computer Systems." Originally published at MIT. Accessed 2019-05-24.
17. Stoneburner, Gary. 2001. "Underlying Technical Models for Information Applied science Security." NIST Special Publication 800-33, December. Accessed 2019-05-26.
18. Sykes, Alicia. 2020. "The Ultimate Personal Security Checklist." Lissy93/personal-security-checklist, on GitHub, July 20. Accessed 2020-07-21.
19. Technopedia. 2017. "The 7 Basic Principles of Information technology Security." May 19. Accessed 2019-05-26.
20. TechTarget. 2019. "confidentiality, integrity, and availability (CIA triad)." WhatIs, TechTarget. Accessed 2019-05-26.
21. Vonnegut, Sarah. 2016. "The Importance of Database Security and Integrity." Blog, Altibase, June 24. Accessed 2019-05-24.
22. Wikipedia. 2019. "Data security." Wikipedia, May 05. Accessed 2019-05-24.
23. Yobicash. 2018. "The Holy Trinity of Data Security: What y'all demand to know well-nigh the CIA Triad." Yobicash, via Medium, February 24. Accessed 2019-05-26.

Further Reading

1. Saltzer, Jerome H. 1974. "Protection and the Control of Information Sharing in Multics." Communications of the ACM, vol. 17, no. 7, pp. 388-402, July. Accessed 2019-05-24.
2. Smith, Richard E. 2012. "A Contemporary Wait at Saltzer and Schroeder's 1975 Design Principles." IEEE Security & Privacy, vol. 10, no. 6, November-December. Accessed 2019-05-26.
3. Yobicash. 2018. "The Holy Trinity of Data Security: What you need to know most the CIA Triad." Yobicash, via Medium, February 24. Accessed 2019-05-26.
4. Mozilla InfoSec. 2019. "Security Principles." Mozilla Foundation. Accessed 2019-05-24.
5. Villanova University. 2015. "The History of Data Security." February 02. Accessed 2019-05-24.
6. Pender-Bey, Georgie. 2012. "The Parkerian Hexad." In fulfillment of the Master of Science in Information Security Program, Lewis University. Accessed 2019-05-24.

Article Stats

Author-wise Stats for Commodity Edits

Author

No. of Edits

No. of Chats

DevCoins

Cite As

Devopedia. 2020. "Information Security Principles." Version 4, July 21. Accessed 2022-02-fifteen. https://devopedia.org/information-security-principles

DOWNLOAD HERE

Posted by: forbessactim.blogspot.com

Share this post