0xor1day

2.Security_principles

6 min read

Task 1: Introduction

Security has become a buzzword; every company wants to claim its product or service is secure. But is it?

Before we start discussing the different security principles, it is vital to know the adversary against whom we are protecting our assets. Are you trying to stop a toddler from accessing your laptop? Or are you trying to protect a laptop that contains technical designs worth millions of dollars? Using the exact protection mechanisms against toddlers and industrial aspionage actors would be Ludicurous. Consequently, knowing our adversary is a must so we can learn about their attacks and start implementing appropriate security controls.

it is impossible to achive perfectt security; no solution is 100% secure. Therefor, we try to improve our security posture to make it more defficult for our adversaries to gain access.

The objective of this room is to :

  • Explain the security functions : Confidentiality, Integrity, and Availability (CIA).
  • Present the opposite of the security triad, CIA: Discclosure, Alteration, and Destruction/Denial (DAD).
  • Introduce the fundamental concepts of security models, such as the Bell-LaPadula model.
  • Explain security pricipale such as Defence-in-Depth, Zero Trust, and Trust by Verify.
  • Introduce ISO/IEC 19249.
  • Explain the defference between Vulnerability, Thread, and Risk.

answer

No answer needed

Task 2: CIA

todo add image CIA.png

Before we can describe something as scure we need ro consider batter what makes up scurity. when you want to judge the security of a systeme, you need to thnk in terls of the security traid: confidentiality, integrity, and availability (CIA).

  • Confidentiality : Ensuring that data is only accessible to those who are authorized to view it.
  • Integrity : aims to ensure that data cannot be altered; moreover, we can detect any alteration if it occurs.
  • Availability :aims to ensure that system or service is available when needed.

todo add image 2.png

Let’s consider the CIA security triad in the case of placing an order for online shopping:

  • Confidentiality : During online shopping, you exepect your credit card number to be disclosed only to the entity that processes the pyment. if you doubt that your credit card information will be disclosed to an intrusted party, you willmost likely rafrain from continuinf with the transaction. Morover, if a data breach results in the disclosure of personally identifiable information, including credit cards, the company will incur huge losses on multiple levels.

  • Integrity : After filling out your order, if a intruder can alter the shipping address you have submitted, the package will be send to someone else. whitout data integrity, you might be very reluctant to place your order with this seller.

  • Availability : To place your online order, you will either browse the store’s website or use its official app. if the service is unvailable, you won’t be able to browse the products or place an order . if you continue to face such technical issues, you might eventually give up and start looking for a different online store.

Let’s consider the CIA as it relates records and related systems:

  • Confidentiality* : According to various laws in modern contries, healthcare provoders must ensure and maintain the confidentiality of medical records. Consequently, healthcare providers can be held legally accountable if they illegally disclose their patients medical records.

  • Integrity : if a patient record is accidentally or maliciously altered, it can lead to the wrong treatment being administered, which, in turn, can lead to life-threating situaton. hance, the system would be usless and potentialy harmful without ensuring the integrity of medical records.

  • Availability : Whan a patient visits a clinic to follow up on thier medicale condition, the system must be availble. An unavailble system would mean that the medical patctioner cannot access the patient’s records and consequently won’t konw if any current symptoms are related to the patient’s midical history. this situation can make the medical diagnosis more challenging and error-prone.

The emphasis does not need to be the same on all three security functions. one example:

would be a university annoncement; although it is usually not confidential, the document’s integrity is critical.

Beyond CIA

todo add Beyond_CIA.png

Going one more step beyond the CIA security traid, we can think of:

  • Authenticity : Authentic means not fraudulent or counterfeit. Authenticity is about ensuring that the documment/file/data is from the claimed source.

  • Nonrepdiation : Repudiate means refusing to recognize the validity of somthing. Nonrepudiation ensures that the original source cannot deny that they are the source of a particular document/file/data. This characteristic is indispesable for various domains, such as shoping, patient diagnosis, and banking.

These two requirements are closely related. the need to tell authentic files or orers from fake ones is indispensable; Moreover , sensuring that the other party cannot deny being the source is vitale for many systems to be usable.

in online shopping, depending on your business, you might tolerate attempting to deliver a t-shirt with crash-on-delivery and learn later that the recipient never placed such an order . However, no company can tolerate sipping 1000 cars to dscover that order is fake. In the exemple of shopping order, you want to confirm that the said customer indeed placed this order; that’s authenticity. moreover, you want to ensurethey cannot deny placing this order; that’s nonrepudiation.

As a company, if you recuve a shipment of 1000 cars, you need to ensure the authenticity of this order; moreover, the source not be abla to deny palcing such order. without authenticity and nonrepudiation, the business cannot be conducted.

Parkerian Hexad

in 1998, Dron Parker proposed the Parkerian Hexad, a set of six security elements, they are:

  1. Availability
  2. Utility
  3. Integrity
  4. Authenticity
  5. Confidentiality
  6. Possession

we have alredy covered four of the abouve sux elements. Let’s discuss the remaining two elements:

  • Utility : Utility focuses on the usefulness of the information. For instance, a user might have lost the decryption key to access a laptop with ancrypted storage. Althoygh the user still has the laptop with its disk(s) intact, they cannot access them. In other words, although still available, the information is in a form that is not useful, i.e of no utility.
  • Possession : this security element requires that we protect the information from unauthorized taking, copying, or controlling

Graph View