Security Engineering (WK8) Flashcards
User and permission management
Adding and removing users from the system and setting up appropriate permissions for users
Software deployment and maintenance
Installing application software and middleware and configuring those systems so that vulnerabilities are avoided
Attack monitoring, detection and recovery
monitoring the system for unauthorised access, design strategies for resisting attacks and develop backup and recovery strategies
What are the four types of misuse cases?
Interception: attacker gains access to an asset
Interruption: attacker makes part of a system unavailable
Modification: a system asset is tampered with
Fabrication: false information is added to a system
Security risk assessment: asset
Asset identification: Identify what has to be protected
Asset value assessment: estimate value of identified assets
Exposure assessment: identify potential losses associated with each asset
Threat identification: identify the most probable threats to the system assets
Example: (but represent in a table)
Asset: the information system
Value: high. required to support all clinical consultations. potentially safety-critical.
Exposure: high. financial loss as clinics may be cancelled. costs of restoring system.
Security risk assessment: attacks
Attack assessment: decompose threats into possible attacks on the system and the way that these may occur
Control identification: oppose the controls that may be put in place to protect an asset
Feasibility assessment: assess the technical feasibility and cost of the controls
Security requirements definition: define system security requirements
Example (but represent in a table):
Threat: unauthorised user gains access as a system manager and makes system unavailable.
Probability: low
Control: only allow system management from specific locations that are secure.
Feasibility: low cost of implementation but care needs to be taken with key distribution.
Lifecycle and operational risk assessment
Done during system development
- more information is available
- vulnerabilities that arise from design choices may therefore be identified
- Operational assessment: info about the environment is assessed. environment characteristics can lead to new system risks
What are the two main things with designing for security?
- Architectural design
- Good practice (using accepted good practices in design)
Architectural design for security: two fundamental issues
Protection (assets are protected): How should the system be organised to protect assets?
Distribution: How should assets be distributed to minimise effects of a successful attack?
What are the three layers of protection (architecture design)?
- platform-level: top level controls on the platform a system runs (OS, web browser, server, etc)
- Application-level: Specific protection mechanisms built into the application itself (password protection, transaction management, database authorisation)
- Record-level: protection invoked when access to specific information is requested (record encryption)
Distribution of assets - why?
Means that attacks on one system don’t necessarily result in complete loss of system service. Each platform has seperate protection features so as to not share a common vulnerability.
DG: Base security decisions on an explicit security policy
Define a security policy for the organisation that sets out the fundamental security requirements that should apply to all organisational assets.
DG: Avoid a single point of failure
Ensure that a security failure can only result when there is more than one failure in security procedures
DG: Fail securely
When systems fail, ensure that sensitive information cannot be accessed by authorised users even although normal security procedures are unavailable
DG: balance security and usability
Try to avoid security procedures that make the system difficult to use. Sometime you have to accept weaker security to make the system more usable.