Security Design Principles Flashcards
Economy of mechanism
Design should be simple and small as possible
-> easy to test and verify
-> more complex bigger attack surface or vulnerable components
-> simplifies configuration management, updates and replacements
Fail-safe default
Access based in permission rather than exclusion
-> default is lack of access, protection scheme finds conditions for permitted access.
Complete mediation
Every access must be checked against the access control mechanism
-> decisions should be retrieved from cache.
-> When a file is already opened control access is not checked again, every time a modification is applied access control should need to be rechecked
Open design
Mechanism should be open rather than secret
-> benefits from community
-> does not rely on hiding/obfuscation for a false-sense of security
Separation of privilege
Multiple privilege attributes are used to achieve access to a restricted resource
-> MFA requires multiple authentication resources
-> Program divided into parts limited to specific privileges to perform a specific task
-> Day to Day interfaces have the lowest privileges.
Least Privilege
Process and users should operate with the least set of privileges necessary to perform a task.
-> System security policy identifies and defines the roles of users or processes.
-> Every permission specifies access to a particular resource
-> If permission is not defined, access to resource is not allowed
-> Higher privileges should only be active for a time window (temporal aspect)
Least Common Mechanism
design should minimize functions shared by different users, providing mutual security.
-> reduces number of unintended communication paths
Psychological Acceptability
Design should not interfere unduly with the work and also meet the needs of those who authorize access.
-> if hinder usability the user might turn them off (minimal obstruction)
-> it should try to adhere to the user’s mental model of protection
Isolation
Public systems should be isolated from critical resources
-> limit number of systems where data is stored and isolate them
-> physical isolation: no physical connection between public access and critical information
-> logical isolation: OS separate process space, memory space, file space. Crypto software has a logical boundary to protect from tampering, and key disclosure or replacement
Encapsulation (Isolation)
Isolation based on a logical collection of procedures and data objects that belong to a domain
Modularity
Security functions as protected modules
Modular architecture for design and implementation
-> easier to centralize and improve the design of a single component (like cryptographic modules) and harden it from attacks
-> modular architecture allows updating single components more easily without having to update the complete system or make it unavailable for an upgrade
Layering
multiple, overlapping protection between all sw, hw and human resources
-> ensures failure or circumvention of one does not compromise the whole system
Defense in Depth
Least astonishment
System should always respond in the way that is least likely to astonish the user.
-> transparent to user so its understandable how something works
Attack surfaces
Reachable or exploitable vulnerabilities in a system
Network: vulnerabilities over a local or public network; also protocols.
OSI Layer 3-6
Software: vulnerabilities in application, utility or OS. Web server software
OSI Layer 7
Human: vulnerabilities in personnel or outsiders, social engineering, human error, or trusted insiders.
Attack surface Analysis
Assess scale and severity of threat
-> find ways to make surface smaller
-> priorities for testing
