Security Training Presentation
Group A
Brian Durst, David Bediako,
Tony Orum, Jeannie Johnson
Walden University
Professor Kapoor
Security Principles Overview
Most security plans and policies are founded upon common principles.
Components of Informational System
Now let us look at some principles to gain an understanding of Security and Formal Models.
Tenants of Security
Next, we detail some types of Models
Open-Door
Entitlement model
The open door model is easy to implement in most cases. Usually only a small portion of data on the network needs to be secured. For example, secrets such as the Big Mac recipe or confidential employee records.
Is based on the assumption that the users are entitled to have network access
Closed-Door
Permission model
Is based on the assumption that the users are not entitled to anything , but need permission for every network access
This model should only be used if the network contains a lot of sensitive data. Be warned this can lead to “Cone of Silence Syndrome.” This means that network users will complain that they can not get to the info they need. System administrators will always be adjusting users’ rights and you will need to invest time in administering the network policy.
The User View
The Clark-Wilson model focuses on the assumption that bookkeeping in financial institutions is the most important integrity check.
“The model recognizes that the recording of data has an internal structure such that it accurately models the real-world financial state of the organization” (Dhillon, 2007). Basically, it ensures information integrity only by allowing certified actions through explicitly authorized users on data items.
The Clark Wilson Model
The Implementation View
Focuses on mandatory and discretionary access control and is rigid in its control
Has a hierarchy tree structure with the condition that all nodes of the structure have a parent structure. “This means that the hierarchy of objects is either that of single isolated objects or one with several children; however, a child has only one parent. This is termed a tree structure” (Dhillon, 2007).
The Bell LaPadula Model
The Implementation View
Focuses on the assumption that information is constantly flowing, being compared, and merging.
This type is concerned with the security of information flow. “It maintains the ‘need-to-know’ nature of strict access controls, so that users and files are given the ability to collect information only for domains to which they are supposed to be designated” (Dhillon, 2007).
The Denning Information Flow Model
Formal Models
Bell-LaPadula
Biba
Clark-Wilson
Rushby's
Denning Information Flow
Brief Comparison
Best Principles
· Awareness – Users need to be aware of the need for security and do their best to enhance security
· Confidentiality
· Integrity
· Availability
· Ethical – Respect the interests of others
· Response – Act in timely manner to prevent security incidents
· Risk Assessment – It is important to conduct risk assessments
· Reassessment – Review and reassess the system and make appropriate modifications to increase security
· · Separation of duty: No single person should perform a task from beginning to end, but that the task should be divided among two or more people to prevent fraud.
Best Practices
· Report incidents at an early stage and take corrective measures
· Subscribe and read security bulletins
· Know your hardware and visit vendor sites to stay up to date with patches and bugs
· Keep the system physically secure. Make sure unauthorized access is not allowed.
· Keep the systems running with only the services needed and software required for use.
· Assign appropriate rights to system users
· Choose strong passwords
· Educate users on the importance of good security practices
· Install security patches as they become available
· Monitor your system
· Create backup and recovery schedules
Conclusion