Compare and contrast two fundamental security design principles Analyze how these principles and how they impact an organizations security posture
compare and contrast two fundamental security design principles. Analyze how these principles and how they impact an organizations security posture. Please make sure to write 250 words in APA format with in-text citation. also you must use at least one scholarly resource. See attached document for reference.
Cryptography and Network Security:
Principles and Practice Eighth Edition
Chapter 1
Information and Network Security
Concepts
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cybersecurity (1 of 3)
Cybersecurity is the collection of tools, policies, security
concepts, security safeguards, guidelines, risk management
approaches, actions, training, best practices, assurance, and
technologies that can be used to protect the cyberspace
environment and organization and users’ assets.
Organization and users’ assets include connected computing
devices, personnel, infrastructure, applications, services,
telecommunications systems, and the totality of transmitted
and/or stored information in the cyberspace environment.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cybersecurity (2 of 3)
Cybersecurity strives to ensure the attainment and
maintenance of the security properties of the organization
and users’ assets against relevant security risks in the
cyberspace environment. The general security objectives
comprise the following: availability; integrity, which may
include data authenticity and nonrepudiation; and
confidentiality
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cybersecurity (3 of 3)
Information Security
• This term refers to preservation of confidentiality, integrity,
and availability of information. In addition, other properties,
such as authenticity, accountability, nonrepudiation, and
reliability can also be involved
Network Security
• This term refers to protection of networks and their service
from unauthorized modification, destruction, or disclosure,
and provision of assurance that the network performs its
critical functions correctly and there are no harmful side
effects
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Security Objectives (1 of 2)
• The cybersecurity definition introduces three key
objectives that are at the heart of information and network
security:
– Confidentiality: This term covers two related
concepts:
▪ Data confidentiality: Assures that private or
confidential information is not made available or
disclosed to unauthorized individuals
▪ Privacy: Assures that individuals control or
influence what information related to them may be
collected and stored and by whom and to whom
that information may be disclosed
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Security Objectives (2 of 2)
• Integrity: This term covers two related concepts:
– Data integrity: Assures that data and programs are changed only
in a specified and authorized manner. This concept also
encompasses data authenticity, which means that a digital object
is indeed what it claims to be or what it is claimed to be, and
nonrepudiation, which is assurance that the sender of information
is provided with proof of delivery and the recipient is provided with
proof of the sender’s identity, so neither can later deny having
processed the information
– System integrity: Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system
• Availability: Assures that systems work promptly and service is not
denied to authorized users
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.1 Essential Information and
Network Security Objectives
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Computer Security Challenges
• Security is not simple
• Potential attacks on the security
features need to be considered
• Procedures used to provide
particular services are often
counter-intuitive
• It is necessary to decide where
to use the various security
mechanisms
• Requires constant monitoring
• Is too often an afterthought
• Security mechanisms typically
involve more than a particular
algorithm or protocol
• Security is essentially a battle of
wits between a perpetrator and
the designer
• Little benefit from security
investment is perceived until a
security failure occurs
• Strong security is often viewed as
an impediment to efficient and
user-friendly operation
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
O S I Security Architecture
• Security attack
– Any action that compromises the security of information
owned by an organization
• Security mechanism
– A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security
attack
• Security service
– A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization
– Intended to counter security attacks, and they make use of
one or more security mechanisms to provide the service
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Threats and Attacks
Threat
A potential for violation of security, which exists when there
is a circumstance, capability, action, or event that could
breach security and cause harm. That is, a threat is a
possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent
threat; that is, an intelligent act that is a deliberate attempt
(especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.2 Key Concepts in Security (1 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.2 Key Concepts in Security (2 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Security Attacks
• A means of classifying security attacks, used both in X.800
and R F C 4949, is in terms of passive attacks and active
attacks
• A passive attack attempts to learn or make use of
information from the system but does not affect system
resources
• An active attack attempts to alter system resources or
affect their operation
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Passive Attacks
• Are in the nature of
eavesdropping on, or
monitoring of,
transmissions
• Goal of the opponent is to
obtain information that is
being transmitted
• Two types of passive
attacks are:
– The release of message
contents
– Traffic analysis
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Active Attacks
• Involve some modification of the
data stream or the creation of a
false stream
• Difficult to prevent because of the
wide variety of potential physical, software, and network
vulnerabilities
• Goal is to detect attacks and to
recover from any disruption or
delays caused by them
• Masquerade
– Takes place when one entity
pretends to be a different entity
– Usually includes one of the other
forms of active attack • Replay
– Involves the passive capture of a
data unit and its subsequent
retransmission to produce an
unauthorized effect • Data Modification
– Some portion of a legitimate
message is altered, or messages
are delayed or reordered to
produce an unauthorized effect • Denial of service
– Prevents or inhibits the normal use
or management of communications
facilities
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.3 Security Attacks
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Authentication (1 of 2)
• Concerned with assuring that a communication is authentic
– In the case of a single message, assures the recipient
that the message is from the source that it claims to be
from
– In the case of ongoing interaction, assures the two
entities are authentic and that the connection is not
interfered with in such a way that a third party can
masquerade as one of the two legitimate parties
• Two specific authentication services are defined in X.800:
– Peer entity authentication
– Data origin authentication
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Authentication (2 of 2)
• Peer entity authentication
– Provides for the corroboration of the identity of a peer entity in an
association. Two entities are considered peers if they implement
the same protocol in different systems. Peer entity authentication
is provided for use at the establishment of, or at times during the
data transfer phase of, a connection. It attempts to provide
confidence that an entity is not performing either a masquerade or
an unauthorized replay of a previous connection
• Data origin authentication
– Provides for the corroboration of the source of a data unit. It does
not provide protection against the duplication or modification of
data units. This type of service supports applications like
electronic mail, where there are no ongoing interactions between
the communicating entities
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Access Control
• The ability to limit and control the access to host systems
and applications via communications links
• To achieve this, each entity trying to gain access must first
be identified, or authenticated, so that access rights can be
tailored to the individual
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Data Confidentiality
• The protection of transmitted data from passive attacks
– Broadest service protects all user data transmitted between
two users over a period of time
– Narrower forms of service includes the protection of a single
message or even specific fields within a message
• The protection of traffic flow from analysis
– This requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Data Integrity
• Can apply to a stream of messages, a single message, or
selected fields within a message
• Connection-oriented integrity service, one that deals with a
stream of messages, assures that messages are received
as sent with no duplication, insertion, modification,
reordering, or replays
• A connectionless integrity service, one that deals with
individual messages without regard to any larger context,
generally provides protection against message
modification only
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Nonrepudiation
• Prevents either sender or receiver from denying a
transmitted message
• When a message is sent, the receiver can prove that the
alleged sender in fact sent the message
• When a message is received, the sender can prove that
the alleged receiver in fact received the message
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Availability Service
• Protects a system to ensure its availability
• This service addresses the security concerns raised by
denial-of-service attacks
• It depends on proper management and control of system
resources and thus depends on access control service and
other security services
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Security Mechanisms (1 of 2)
• Cryptographic algorithms: We can distinguish between
reversible cryptographic mechanisms and irreversible
cryptographic mechanisms. A reversible cryptographic
mechanism is simply an encryption algorithm that allows data to
be encrypted and subsequently decrypted. Irreversible
cryptographic mechanisms include hash algorithms and
message authentication codes, which are used in digital
signature and message authentication applications.
• Data integrity: This category covers a variety of mechanisms
used to assure the integrity of a data unit or stream of data
units.
• Digital signature: Data appended to, or a cryptographic
transformation of, a data unit that allows a recipient of the data
unit to prove the source and integrity of the data unit and protect
against forgery.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Security Mechanisms (2 of 2)
• Authentication exchange: A mechanism intended to ensure
the identity of an entity by means of information exchange.
• Traffic padding: The insertion of bits into gaps in a data stream
to frustrate traffic analysis attempts.
• Routing control: Enables selection of particular physically or
logically secure routes for certain data and allows routing
changes, especially when a breach of security is suspected.
• Notarization: The use of a trusted third party to assure certain
properties of a data exchange
• Access control: A variety of mechanisms that enforce access
rights to resources.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.4 Cryptographic Algorithms
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Keyless Algorithms
• Deterministic functions that have certain properties useful
for cryptography
• One type of keyless algorithm is the cryptographic hash
function
– A hash function turns a variable amount of text into a
small, fixed-length value called a hash value, hash
code, or digest
– A cryptographic hash function is one that has additional
properties that make it useful as part of another
cryptographic algorithm, such as a message
authentication code or a digital signature
• A pseudorandom number generator produces a
deterministic sequence of numbers or bits that has the
appearance of being a truly random sequence
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Single-Key Algorithms (1 of 3) • Single-key cryptographic algorithms depend on the use of
a secret key
• Encryption algorithms that use a single key are referred to
as symmetric encryption algorithms
– With symmetric encryption, an encryption algorithm
takes as input some data to be protected and a secret
key and produces an unintelligible transformation on
that data
– A corresponding decryption algorithm takes the
transformed data and the same secret key and
recovers the original data
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Single-Key Algorithms (2 of 3) • Symmetric encryption takes the following forms:
– Block cipher
▪ A block cipher operates on data as a sequence of
blocks
▪ In most versions of the block cipher, known as
modes of operation, the transformation depends not
only on the current data block and the secret key but
also on the content of preceding blocks
– Stream cipher
▪ A stream cipher operates on data as a sequence of
bits
▪ As with the block cipher, the transformation depends
on a secret key
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Single-Key Algorithms (3 of 3)
• Another form of single-key cryptographic algorithm is the
message authentication code (M A C)
– A M A C is a data element associated with a data block
or message
– The M A C is generated by a cryptographic
transformation involving a secret key and, typically, a
cryptographic hash function of the message
– The M A C is designed so that someone in possession
of the secret key can verify the integrity of the message
– The recipient of the message plus the M A C can
perform the same calculation on the message; if the
calculated M A C matches the M A C accompanying the
message, this provides assurance that the message
has not been altered
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Asymmetric Algorithms
• Encryption algorithms that use a single key are referred to as
asymmetric encryption algorithms
• Digital signature algorithm
– A digital signature is a value computed with a cryptographic
algorithm and associated with a data object in such a way that any
recipient of the data can use the signature to verify the data’s
origin and integrity
• Key exchange
– The process of securely distributing a symmetric key to two or
more parties
• User authentication
– The process of authenticating that a user attempting to access an
application or service is genuine and, similarly, that the application
or service is genuine
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.5 Key Elements of Network
Security
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Communications Security
• Deals with the protection of communications through the
network, including measures to protect against both passive and
active attacks
• Communications security is primarily implemented using
network protocols
– A network protocol consists of the format and procedures
that governs the transmitting and receiving of data between
points in a network
– A protocol defines the structure of the individual data units
and the control commands that manage the data transfer
• W ith respect to network security, a security protocol may be an
enhancement that is part of an existing protocol or a standalone
protocol
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Device Security (1 of 2)
• The other aspect of network security is the protection of
network devices, such as routers and switches, and end
systems connected to the network, such as client systems
and servers
• The primary security concerns are intruders that gain
access to the system to perform unauthorized actions,
insert malicious software (malware), or overwhelm system
resources to diminish availability
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Device Security (2 of 2) • Three types of device security are:
– Firewall
▪ A hardware and/or software capability that limits access
between a network and device attached to the network, in
accordance with a specific security policy. The firewall acts as
a filter that permits or denies data traffic, both incoming and
outgoing, based on a set of rules based on traffic content
and/or traffic pattern
– Intrusion detection
▪ Hardware or software products that gather and analyze
information from various areas within a computer or a network
for the purpose of finding, and providing real-time or near-real-
time warning of, attempts to access system resources in an
unauthorized manner
– Intrusion prevention
▪ Hardware or software products designed to detect intrusive
activity and attempt to stop the activity, ideally before it reaches
its target
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trust Model (1 of 2)
• One of the most widely accepted and most cited definitions
of trust is: “the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party”
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trust Model (2 of 2)
• Three related concepts are relevant to a trust model:
– Trustworthiness: A characteristic of an entity that
reflects the degree to which that entity is deserving of
trust
– Propensity to trust: A tendency to be willing to trust
others across a broad spectrum of situations and trust
targets. This suggests that every individual has some
baseline level of trust that will influence the person’s
willingness to rely on the words and actions of others
– Risk: A measure of the extent to which an entity is
threatened by a potential circumstance or event, and
typically a function of 1) the adverse impacts that would
arise if the circumstance or event occurs; and 2) the
likelihood of occurrence
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.6 Trust Model
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The Trust Model and Information
Security • Trust is confidence that an entity will perform in a way that will not
prejudice the security of the user of the system of which that entity is a
part
• Trust is always restricted to specific functions or ways of behavior and
is meaningful only in the context of a security policy
• Generally, an entity is said to trust a second entity when the first entity
assumes that the second entity will behave exactly as the first entity
expects
• In this context, the term entity may refer to a single hardware
component or software module, a piece of equipment identified by
make and model, a site or location, or an organization
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trustworthiness of an Individual (1 of 2)
• Organizations need to be concerned about both internal users
(employees, on-site contractors) and external users (customers,
suppliers) of their information systems
• W ith respect to internal users, an organization develops a level of trust
in individuals by policies in the following two areas:
• Human resource security
– Sound security practice dictates that information security
requirements be embedded into each stage of the employment life
cycle, specifying security-related actions required during the
induction of each individual, their ongoing management, and
termination of their employment. Human resource security also
includes assigning ownership of information (including
responsibility for its protection) to capable individuals and
obtaining confirmation of their understanding and acceptance
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trustworthiness of an Individual (2 of 2)
• Security awareness and training
– This area refers to disseminating security information
to all employees, including I T staff, I T security staff,
and management, as well as I T users and other
employees. A workforce that has a high level of
security awareness and appropriate security training
for each individual’s role is as important, if not more
important, than any other security countermeasure or
control
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trustworthiness of an Organization
• Most organizations rely on information system service and information
provided by external organizations, as well as partnerships to accomplish
missions and business functions (examples are cloud service providers and
companies that form part of the supply chain for the organization)
• To manage risk to the organization, it must establish trust relationships with these external organizations
• N I S T S P 800-39 (Managing Information Security Risk, March 2011) indicates
that such trust relationships can be:
– Formally established, for example, by documenting the trust-related
information in contracts, service-level agreements, statements of work, memoranda of agreement/understanding, or interconnection security
agreements
– Scalable and inter-organizational or intra-organizational in nature
– Represented by simple (bilateral) relationships between two partners or
more complex many-to-many relationships among many diverse partners
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trustworthiness of Information
Systems • S P 800-39 defines trustworthiness for information systems as
“the degree to which information systems (including the information
technology products from which the systems are built) can be
expected to preserve the confidentiality, integrity, and availability of
the information being processed, stored, or transmitted by the
systems across the full range of threats”
• Two factors affecting the trustworthiness of information systems are:
– Security functionality: The security features/functions employed
within the system. These include cryptographic and network
security technologies
– Security assurance: The grounds for confidence that the security
functionality is effective in its application. This area is addressed
by security management techniques, such as auditing and
incorporating security considerations into the system development
life cycle
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Establishing Trust Relationships
• Validated trust:
– Trust is based on evidence obtained by the trusting organization about the
trusted organization or entity. The information may include information
security policy, security measures, and level of oversight
• Direct historical trust:
– This type of trust is based on the security-related track record exhibited by
an organization in the past, particularly in interactions with the
organization seeking to establish trust
• Mediated trust:
– Mediated trust involves the use of a third party that is mutually trusted by two parties, with the third party providing assurance or guarantee of a
given level of trust between the first two parties
• Mandated trust:
– An organization establishes a level of trust with another organization
based on a specific mandate issued by a third party in a position of authority
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Standards (1 of 2) • National Institute of Standards and Technology:
– N I S T is a U.S. federal agency that deals with measurement science,
standards, and technology related to U.S. government use and to the
promotion of U.S. private-sector innovation. Despite its national scope, N I
S T Federal Information Processing Standards (F I P S) and Special Publications (S P) have a worldwide impact
• Internet Society:
– I S O C is a professional membership society with worldwide organizational
and individual membership. It provides leadership in addressing issues
that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the
Internet Engineering Task Force (I E T F) and the Internet Architecture
Board (I A B). These organizations develop Internet standards and related
specifications, all of which are published as Requests for Comments (R F
C s).
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Standards (2 of 2) • I T U-T:
– The International Telecommu
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.