This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

Cybersecurity Principles

Restart

Next

Back

Usability

Minimization Principles

Authorization Principles

Open Design

Good Design Principles

Trust Relationships

Introduction

Bob is a software developer. His ultimate goal is to create a design that does the task intended, is efficient, effective and usable. Bob uses security design principles to help him achieve the main tenets of information security—confidentiality, integrity, and availability of the system, sub-system, and system data.

Open Design

Least Astonishment (Psychological Acceptability)

Minimization Principles

Quiz

Usability

Minimize Trust Surface (Reluctance to Trust)

Good Design Principles

Trust Relationships

Authorization Principles

Bob will subdivide a system into smaller parts or modules that can be independently created and then used in several systems. The development of security functions as separate, protected modules.

Modularity

Trust Boundaries

Simplicity of Design

Layering

Simplicity of Design (Economy of Mechanism)

When Bob designs a security measure, it should be as simple and small as possible.

Data

Perimeter

Bob will use multiple, overlapping protection approaches to address the people, technology, and operational aspects of information systems. Defense in depth protects with a series of security mechanisms so that if one fails, others will be in place.

Network

Policies, Procedures & Awareness

Physical

Host

App

Layering (Defense in Depth)

Separation

Users in a child domain cannot see or manage records in a parent domain.

Domain B: Database Chicago

Bob

Domain C: Database Houston

Carol

Bob uses a practice in which multiple privilege attributes are required to achieve access to a restricted resource. Data and/or systems are separated into logically-defined domains, and communication between domains must be authorized.

David

Earl

Alice

Domain D: Database Dallas

Users in Domain A, the parent domain can see and manage records in Domain B, C, and D (the child domains)

Least Privilege

Fail Safe Defaults/Fail Secure

Complete Mediation

Access Allowed

Bob must check every access against the access control setting to ensure that access is allowed.

Accounting Role

Directory

General Employee Role

Sales Role

Email

UNIX

IT Role

Salesforce

Mainframe

Bob will ensure that every process and every user of the system should operate using the least set of privileges necessary to perform the task.

Corporate Network

Payroll

Customer Database

Password

So the username is correct!

Bob will make access decisions based on permission rather than exclusion. If a hacker enters the wrong information, the system should reject the attempt with a message stating that the login failed and not state that just the password was incorrect.

Fail Safe Defaults/ Fail Secure

Username

Encapsulation

Isolation

Methods

Class

Variables

Bob can use a specific form of isolation based on object-oriented functionality. Encapsulation hides the values or state of a structured data object inside a class (a domain of its own), preventing any direct access by unauthorized parties.

Encapsulation

Bob wants to make sure that his users can easily use and quickly learn a tool, device, or software.

Alice’s Public Key

Alice’s Private Key

Original Plaintext

Bob knows that the design of a security mechanism should be open and not depend on the secrecy of the design details or implementation. 
 For example, RSA is an asymmetric encryption algorithm based on the principle that it is easy to multiply large numbers, but factoring large numbers is difficult. The public key consists of two numbers. One number is the result of multiplying two large prime numbers. The private key is derived from the same two prime numbers. The difficulty in factoring large numbers is what keeps the key pair secure.

Open Design

RSA Decipher

Ciphertext

RSA Encipher

Bob realizes that a program or user interface should always respond in the way that is least likely to astonish the user. When Microsoft removed the Start button from its operating system, Microsoft released an updated version adding the Start button back.

No start button

Least Astonishment (Psychological Acceptability)

Database Server

Trust Boundary

Email Server

Bob must maintain a Trust Boundary. The issues in establishing trust include the following:Authenticating the other endpoint to prevent masqueradingEnsuring the security of the communication to maintain the confidentiality of the dataPreventing data tampering to maintain the integrity of the data

Trust Relationships

Web Server

Application Server

Trust must be created, not assumed. There should be clear distinctions between privilege levels when Bob accesses resources. If Bob logs in and is authenticated, he must also have authorization to access a resource.

Access Granted

The design does not depend on the secrecy of the design details

The user interface responds as expected

Quiz 1 of 10

Software that users learn quickly and is easy to use

Element with Audio HTML

Least Astonishment

Minimize Trust Surface

Great Job!

Boundaries exist to prevent masquerading and to maintain confidentiality and integrity

Drag each term to its appropriate description.

Clear distinctions between privilege levels exist (i.e., authentication AND authorization)

LAN

DMZ

Isolation

Bob knows that public access systems should be isolated from critical resources (data, processes, etc.) to prevent disclosure or tampering. Operating systems use various hardware and software technologies to enforce process isolation.  For example, the processes and files of individual users should be isolated from one another except where it is explicitly desired.

multiple privilege attributes are required to achieve access to a restricted resource

Fail Safe Defaults

Protection is provided by having a collection of procedures in a domain of its own

access decisions based on permission rather than exclusion

every access is checked against the access control setting to ensure that access is allowed

Quiz 2 of 10

privileges granted to perform the required task

Quiz 3 of 10

What design principle is illustrated?

Simplicity of design

That’s correct! A system should be subdivided into smaller parts that can be independently created and then used in several systems.

Close 

That’s correct!

Quiz 4 of 10

Least privilege

Psychological Acceptability

Bob works at a small company. When he enters the building, he has access to all rooms. Which principles of security is the company violating with this practice? Select all possible answers.

Complete mediation

Fail Secure

Quiz 5 of 10

What design principle does the lock pictured above violate?

Quiz 6 of 10

Bob designed an administrative interface that grants access to production management networks, checks for administrative user authorization, and logs all access. Which of the following best describe the security principle that Bob has employed?

Defense in depth

“The security of a mechanism should not depend on the secrecy of its design or implementation” describes which of the following principles?

Quiz 7 of 10

This security principle maintains confidentiality, integrity and availability by defaulting to a secure state and unless a user is given explicit access to an object, that user is denied access to that object.

Quiz 8 of 10

Quiz 9 of 10

Bob is verifying that all pages and resources by default in his web application require authentication except those specifically intended to be public. What design principle does this describe?

Drag the cybersecurity principle into its proper category.

Quiz 10 of 10

Trust Boundaries