1. List the three fundamental security properties and for each give an example of a failure.
CIA is a commonly used standard for information systems security, concentrating on the 3 core goals of confidentiality, integrity and availability of information in the system. When every time IT team installs a software or a sever, they never forget to analyse the data transport methods, data base, how they provide access for users according to the CIA standards. Those three fundamental security properties are:
Confidentiality is limiting the information access for the users in the system. IT administrator need to identify to which users he should give access rights and which users he shouldn’t give or control. Methods like User identification number and password are commonly used techniques. Although these techniques can prevent unauthorised access you can’t guarantee it is 100% reliable. Confidentiality can be breached due to these factors:
Carelessness of users.
Unsecure document storage
In contrast in real life, students log in to university systems by using their user id and pass words. When they leave they should log off their accounts. But sometimes because of their carelessness they forget to do than and leave that as it is. So when situations like that anyone can use their login and do anything they want. (University of Miami, 1997-2008)
Integrity is the reliability of information resources. Main concentration is data has not been changed or modified during the communication process. It is very important that the user get exact information which came out from the database or whatever the resources. But yet again there is a possibility that integrity can be break.eg:
When a user tries to do online transaction, pay pal or net bank web site might appear as same as the original one interface might be same. But the web address or data base can be a fake one. In that case users can get cheated and stolen their money. (University of Miami, 1997-2008)
Availability is stability of information system. If the information system is not available whenever you need to get some information, that system is useless. A system should be more consistence. Think about an ATM machine, if the ATM is not responding as quickly as you want or it does not update your account quickly then that system is a fail system. (University of Miami, 2008)
2. If the useful life of DES was about 20 years (1977-1999), how long do you predict the useful life of AES to be? Justify your answer. AES encryption is 2^56 greater than the DES encryption. According to the Moore’s law, amount of transistors inside a silicon chip are doubles every two years. Every two years’ time the difference between DES and AES decreases. If Moore’s law continues then approximately after 112 years AES will be useless. 3. Security decision making should be based on rational thinking and sound judgement. In this context critique five security design principles with suitable examples.
1. Least Common Mechanism
2. The Principle of Least Privilege
3. Fail-Safe Stance
4. Separation of privilege
5. Open design
1) Least Common Mechanism
Meaning of least common mechanism is if multiple components in a system require the same functions and mechanisms then the system should has a single common mechanism that can use for those purposes. E.g.: device drivers, libraries, OS resource managers. Least common mechanism will help to minimize the complexity of the systems by avoiding duplicate mechanisms. It is easy to maintain. (Benzel, Irvine, Levin, Bhaskara, Nguyen and Clark, n.d.)
2) The Principle of Least Privilege
The Principle of least privilege states that users and computer programs be given the lowest privileges need to accomplish a task. A real world example for this is valet keys. When you buy a vehicle, manufactures give you valet keys. So that you can give your valet keys...
Please join StudyMode to read the full document