Consider the requirements of a secure system and how those
requirements
might be threatened, whether by deliberate attack or otherwise. The
following table briefly summarizes each basic aspect of security, its
vulnerabilities, and the kinds of security practices that help to mitigate
those risks.
Element / Threat |
Vulnerabilities |
Countermeasures |
Availability
maintaining timely access to information and services
Threat:
Customers are deprived of service - you might as well be out of business. |
- application crash due to software error (i.e., a bug)
- system hangs
instead of degrading gracefully under heavy usage
- distributed denial of service (DDOS) attack
- power outage
- diverse types of hardware failure
- natural disaster
- riot or terrorist attack
- inability to restore data promptly after a system failure
|
- robust application design with comprehensive exception
handling
- provision for ample peak capacity and built-in overload protection
- limits on request execution times
- firewall and router configuration with network traffic monitoring and adaptive
filtering
- segmented network
topology
- hardening the TCP/IP stack
- UPS and redundant hardware, ready to swap into service
- automated transaction logging and recovery mechanisms
|
Authentication
ensuring legitimate identification of users and their agents
Threat: An anonymous or bogus identity enters a restricted area, opening the door to further mischief. |
Passwords and keys can be misappropriated in any of
these ways:
- phishing and other email-based social engineering scams
-
spyware infection acquired from any of a variety of web browsing exploits, such
as cross-site scripting and pharming
-
breaking weak passwords by brute force
- packet sniffing on insecure network traffic
- physical eavesdropping
- theft of keys and computers
- discarded computers and media
Or authentication could be bypassed altogether, through:
-
holes in application design or system configuration that provide an
avenue for circumventing normal perimeter defenses
- Trojan
"back door" planted by a virus or worm
- man-in-the-middle attacks and other variations of session
hijacking
|
-
education on common security threats and safe practices
- policies encouraging use of strong
passwords with periodic expiration
- operating system lockdown, updates, and patch management
- malware scanning, blocking, and removal tools
- biometrics, smart cards, and two factor authentication
technologies
- cryptographically secure storage and transmission of passwords, keys, and
session state information
- strongly encrypted communications protocols, such as SSL and IPSec
- cryptographic hashing for secure password storage, session control, and
proxy authentication
- multiple
authentication,
session timeouts, and logout functionality
- automatic lockout after repeated failed login attempts
- independent penetration testing
- preparing for rapid incident response
|
Authorization
restricting the actions a user is permitted to take
Threat: An attacker gains access to restricted resources without
proper approval, setting the stage for breach of confidentiality or
data tampering. |
- exposed system files and resources for which access has not
been sufficiently restricted
-
buffer overruns, SQL injection, cross-site scripting, and other forms of parameter manipulation,
gaining access to more capabilities than intended
-
escalation of privileges by exploiting known operating system vulnerabilities
- abuse of administrative privileges
- insider knowledge about details of
application design,
network configuration, file names, or database structure
|
- configuration of network components,
databases, workstations, and servers according to best practice guidelines
- employing all available access control
mechanisms, including those at the application level
- thorough input validation and other defensive coding practices
- principles of least privilege and constrained I/O
- compartmentalized architecture to limit damage
- activity monitoring and intrusion detection systems
- deterrence through secure audit trails
|
Accountability
preserving a record of what was done and by whom
Threat: A transaction becomes untraceable and refutable, because of failure to capture and retain
data proving its source. |
- inadequate logging due to design oversight or insufficient
security requirements planning
- log files lost, damaged, or simply not adequately secured to
comply with legal evidentiary standards
|
Facilities for automated, secure logging,
which provide the
basis for a number of essential functions:
- audit trails that guarantee non-repudiation
- automatic database recovery following interrupted operations
-
diagnosing unexplained failures
- intrusion detection and
forensic analysis
- tracking down and prosecuting cyber-criminals
|
Confidentiality
hiding sensitive information from unauthorized viewers
Threat: News of a breach of confidential
information causes embarrassment and legal liability. |
Sensitive information may be exposed because of
failure to adequately restrict access, due to:
- hastily constructed applications
- ignorance of regulatory requirements
|
Application designers must be educated and adhere to
policies regarding the use of encryption and access controls for compliance with applicable privacy
laws and regulations, such
as:
- Health Insurance Portability and Accountability Act
(HIPAA)
- Gramm-Leach-Bliley Act
(GLBA)
- Cardholder Information Security Program
(CISP)
- Data Protection Act (in the UK)
|
Integrity
guaranteeing that information remains accurate and complete
Threat: Data is missing or falsified, casting a shadow over the entire system's credibility. |
- physical loss or damage due to failure of hardware or storage
medium
- malicious tampering by an attacker who has penetrated defenses
- error in application program logic (bug), e.g. due to improper synchronization of multi-user access,
race conditions, etc.
|
- backup storage
- physical security
- effective access controls
- checksums and hashed message authentication codes
- safe coding practices: defense in depth, peer design review,
diligent testing and quality assurance
- rigorous transaction processing techniques
- compliance with legislation safeguarding the
accuracy of financial data, e.g. Sarbanes-Oxley Act
(SOX).
|