Information Assurance And Security - Chapter 2 - Lesson 4
- 1. Principles of Information Security, Fifth Edition Chapter 2 The Need for Security Lesson 4–Technical Hardware
- 2. Learning Objectives • Upon completion of this lesson, you should be able to: – Describe the relationship between technical hardware failures and errors ,and technical software failures and errors against information within systems. Principles of Information Security, Fifth Edition 2
- 3. Technical Hardware Failures or Errors • They occur when a manufacturer distributes equipment containing a known or unknown flaw. • They can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. • Some errors are terminal and some are intermittent. • Intel Pentium CPU failure • Mean time between failure measures the amount of time between hardware failures. Principles of Information Security, Fifth Edition 3
- 4. Technical Software Failures or Errors (cont’d) • Large quantities of computer code are written, debugged, published, and sold before all bugs are detected and resolved. • Combinations of certain software and hardware can reveal new software bugs. • Entire Web sites are dedicated to documenting bugs. • Open Web Application Security Project (OWASP) is dedicated to helping organizations create/operate trustworthy software and publishes a list of top security risks. Principles of Information Security, Fifth Edition 4
- 5. The Deadly Sins in Software Security • Common failures in software development: – Buffer overruns – Command injection – Cross-site scripting (XSS) – Failure to handle errors – Failure to protect network traffic – Failure to store and protect data securely – Failure to use cryptographically strong random numbers Principles of Information Security, Fifth Edition 5
- 6. The Deadly Sins in Software Security (cont’d) • Common failures in software development (cont’d): – Format string problems – Neglecting change control – Improper file access – Improper use of SSL – Information leakage – Integer bugs (overflows/underflows) – Race conditions – SQL injection Principles of Information Security, Fifth Edition 6
- 7. The Deadly Sins in Software Security (cont’d) • Problem areas in software development: – Trusting network address resolution – Unauthenticated key exchange – Use of magic URLs and hidden forms – Use of weak password-based systems – Poor usability Principles of Information Security, Fifth Edition 7
- 8. Technological Obsolescence • Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems. • Proper managerial planning should prevent technology obsolescence. • IT plays a large role. Principles of Information Security, Fifth Edition 8
- 9. Theft • Illegal taking of another’s physical, electronic, or intellectual property • Physical theft is controlled relatively easily. • Electronic theft is a more complex problem; the evidence of crime is not readily apparent. Principles of Information Security, Fifth Edition 9
- 10. Secure Software Development • Many information security issues discussed here are caused by software elements of the system. • Development of software and systems is often accomplished using methodology such as systems development life cycle (SDLC). • Many organizations recognize the need for security objectives in SDLC and have included procedures to create more secure software. • This software development approach is known as Software Assurance (SA). Principles of Information Security, Fifth Edition 10
- 11. Software Assurance and the SA Common Body of Knowledge • A national effort is underway to create a common body of knowledge focused on secure software development. • U.S. Department of Defense and Department of Homeland Security supported the Software Assurance Initiative, which resulted in the publication of Secure Software Assurance (SwA) Common Body of Knowledge (CBK). • SwA CBK serves as a strongly recommended guide to developing more secure applications. Principles of Information Security, Fifth Edition 11
- 12. Software Design Principles • Good software development results in secure products that meet all design specifications. • Some commonplace security principles: – Keep design simple and small – Access decisions by permission not exclusion – Every access to every object checked for authority – Design depends on possession of keys/passwords – Protection mechanisms require two keys to unlock – Programs/users utilize only necessary privileges Principles of Information Security, Fifth Edition 12
- 13. Software Design Principles (cont’d) • Some commonplace security principles: – Minimize mechanisms common to multiple users – Human interface must be easy to use so users routinely/automatically use protection mechanisms. Principles of Information Security, Fifth Edition 13
- 14. Summary • Unlike any other aspect of IT, information security’s primary mission is to ensure things stay the way they are. • Information security performs four important functions: – Protects organization’s ability to function – Enables safe operation of applications implemented on organization’s IT systems – Protects data the organization collects and uses – Safeguards the technology assets in use at the organization Principles of Information Security, Fifth Edition 14
- 15. Summary (cont’d) • Threat: object, person, or other entity representing a constant danger to an asset • Management effectively protects its information through policy, education, training, and technology controls. • Attack: a deliberate act that exploits vulnerability • Secure systems require secure software. Principles of Information Security, Fifth Edition 15