Skip to content
This repository has been archived by the owner on Aug 18, 2023. It is now read-only.

Latest commit

 

History

History
241 lines (160 loc) · 7.99 KB

01-02-security_goals.md

File metadata and controls

241 lines (160 loc) · 7.99 KB
Raw

Security Goals

Information Security (44 U.S. Code § 3552)

(1) The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;

(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(C) availability, which means ensuring timely and reliable access to and use of information.

Information Security Triad: CIA

The Information Security triad: CIA. Second version, 2009 John M. Kennedy T., used under CC-BY-SA 3.0

🎯 Confidentiality

  • Protecting information from disclosure to unauthorized parties
  • Access to information should be granted only on a need-to-know basis
  • Data categorization according to the amount and type of possible damage should it fall into wrong hands

Supporting Principles (:closed_lock_with_key:)

  • Authentication, Authorization, Encryption, Anonymity, Secrecy

🎯 Integrity

  • Protecting information from being modified by unauthorized parties
  • Being correct or consistent with the intended state of information
  • Ensuring that the information is not tampered whenever it travels from source to destination or even stored at rest

Supporting Principles (:lock_with_ink_pen:)

  • Hashing, Digital Signatures, Non-repudiation, Tamper-evident packaging

🎯 Availability

  • Ensuring that authorized parties are able to access information when needed
  • Ensuring that the services of an organization are available

Supporting Principles (:atm:)

  • Accessibility, Fault Tolerance, Redundancy, Backup, Testing

Exercise 2.1 (:pushpin:)

  1. Which security goals are at risk by the following threats?
Threat C I A
Network Sniffing
DDoS Attack
Rogue WiFi Access Point
Electromagnetic Pulse (EMP)
Whistleblower
Social Engineering

Attacker Behavior vs. Security Goals

Active Passive Threatened Security Goals
Observing (:heavy_check_mark:) ✔️ Confidentiality
Altering ✔️ Confidentiality, Integrity, Availability

Extended CIA Models

Parkerian Hexad (1998)

  • Confidentiality
  • Possession / Control (:new:)
  • Integrity
  • Authenticity (:new:)
  • Availability
  • Utility (:new:)

🎯 Possession / Control

  • Protecting against the idea that confidential data can be possessed/controlled by an unauthorized individual or party
  • Loss of control or possession of information should not automatically lead to the breach of confidentiality

Supporting Principles (:left_luggage:)

  • Encryption, Authentication

🎯 Authenticity

  • Assurance that a message or transaction is from the source it claims to be from

Supporting Principles (:memo:)

  • Identification, Digital Certificates

ℹ️ Despite its close relation to Integrity you can find Authenticity also used as part of an extended CIAA quartet occasionally.

🎯 Utility

  • Usefulness of data or information

Supporting Principles (:floppy_disk::pager:)

  • Compatibility, Accessibility

Information may be available and therefore usable but it doesn't necessarily have to be in a useful form to be defined as available. [1]

CIA³ (2016)

  • Confidentiality
  • Integrity
  • Availability
  • Accountability (:new:)
  • Assurance (:new:)

CIA³ Logo, http://www.cia-cubed.org, used under CC-BY-SA 4.0

🎯 Accountability

  • Allowing to answer questions like "Who did it?" or "Who is accountable?"
  • Considering legal consequences and contractual obligations
  • Encompassing segregation of duties and awareness training

Supporting Principles (:see_no_evil::hear_no_evil::speak_no_evil:)

  • Integrity, Non-repudiation, Authenticity, Design, Governance, Policy

🎯 Assurance

  • Introduces control activities for the aforementioned security goals
  • Periodic controls assuring that all security measures (both technical and operational) work as intended

Supporting Principles (:bar_chart::chart_with_upwards_trend:)

  • Auditing, Measuring, Monitoring, Continuous Improvement

Dependency Model of CIA³

CIA³ Model 2016, http://www.cia-cubed.org, used under CC-BY-SA 4.0

Exercise 2.2 (:handshake:)

  1. Which of the extended CIAA security goals could have been compromised in each of the Motivation: Case Studies?
  2. In your work group, research the assigned case and ✔️ all compromised goals
  3. Reason or prove each ✔️ briefly during the presentation to the plenum
Case Study Confidentiality Integrity Availability Authenticity
Peloton
Marriot
Equifax
CloudPets
Missouri DESE

Exercise 2.3 (:pencil::house:)

  1. Define at least three supporting measures for each CIA³ security goal, distinguishing between technical and organizational measures
Security Goal Technical Measures Organizational Measures
Confidentiality
Integrity
Availability
Accountability
Assurance

Footnotes

  1. http://cs.lewisu.edu/mathcs/msisprojects/papers/georgiependerbey.pdf