Security EngineeringAssurance & Control

Objectives

Priyanka VanjaniASU Id # 993923182

Security Engineering “Security engineering is a

specialized field of engineering that deals with the development of detailed engineering plans and designs for security features, controls and systems.” Wikipedia

It helps building systems resistant in the event of a malice or an error.

Most organizations tend to neglect the security requirements needed in order to keep their system safe.

Security requirements are usually considered in the end and not during an early analysis of the design process.

Control Objectives

Environmental context of the information system

Control Objectives (contd…)

Information contained within the system

Control Objectives (contd..)

Physical assets of the system

Information Security Objectives:

Security Objectives

Assurance Objectives

Security Control Objectives

Confidentiality Authentication Availability Integrity Non-repudiation

Confidentiality

Ensures information is not accessible by unauthorized users

Protects assets of a computing system

For example: Giving out confidential information over the phone to someone who’s not authorized

Authentication

Ensures that the users are the right people.

Information is in the right hands and the assets are being used in an authorized manner.

For example: Passwords, digital certificates, smart cards

Availability

Ensures information is accessible to authorized users and is available when needed.

For example: Access to a database as and when required.

DoS: Denial of service should not be there

Integrity

Ensures that the data cannot be created, deleted or modified without authorized access to it.

For example: When a database is not properly shutdown before maintenance is performed.

Employee intentionally modifies or deletes important data.

Non-repudiation

It is the proof of the identity of the sender and the recipient.

For example: Ecommerce uses digital signatures and ecryption.

Assurance Control Objectives

Management functions

Involves security policies, information security plan, risk management and personal security.

gem

Assurance Control Objectives

Configuration Management Personnel Management Vulnerability Management Software Development

Management Verification Management

Requirements

Legacy Systems: used by some organizations where anything else cannot be implemented.

User’s Documentation: includes detailed system requirements. The engineer is supposed to look through the requirements specifications in order to derive any system security requirement.

Security Standards

“Prescribed configuration and practices that improve the security of IT systems.” Wiki

Standards are used by both government and user organizations.

Security Models

The Common Criteria

Provides assurance on specification, implementation and evaluation process of a security product and makes sure it is conducted in a standard manner.

The Common Criteria (contd..)

The Common Criteria (contd..)

Functional requirements include:

Authentication Resource utilization Privacy Protection of TOE Trusted channels Security Management

ISO/IEC 17799

Addresses good security policies Doesn’t provide detailed

instructions Superficial overview of the security

requirements that act as a base

ISO/IEC 17799 (contd..)

Personnel Security Compliance Access Control Organizational security

infrastructure and policy Physical and environmental

security Operations Management etc.

The Capability Maturity Model-Integrated (CMMI)

Include practices for process improvement

Manage development & maintenance of products

Help periodically measure improvement

‘Assessment’ model: determines the level at which the organization currently stands

CMMI

SSE-CMM The System Security Engineering

Capability Maturity Model Describes essential characteristics

of an organization’s security engineering process

Includes entire system life cycle of a product, concept definition, requirement analysis, design, development, integration, installation, maintenance etc.

SSE-CMM (contd..)

Organization engineering activities Interactions within the organization

such as with systems software, hardware, system management, operation as well as maintenance

Interactions with other organizations such as system management, certification, evaluation of the policies

Cost-benefit analysis

It is important for an organization to choose between effective security policies, optimal performance and affordable cost.

Security policies are implemented depending upon how often an attack is expected.

Cost-benefit analysis (Contd..)

It is difficult to analyze whether a certain investment in a security policy would give the expected returns.

References http://en.wikipedia.org/wiki/Security_engineering http://www.albion.com/security/intro-4.html http://en.wikipedia.org/wiki/Information_security#Integrity

http://ieeexplore.ieee.org/iel5/4021173/4021174/04021255.pdf?isnumber=4021174&prod=CNF&arnumber=402

1255&arSt=482&ared=488&arAuthor=Sung-il+Han%3B+Kab-seung+Kou%3B+Gang-soo+Lee

http://www.mantagroup.com/html/images/wp-0506102.gif

http://ieeexplore.ieee.org/iel5/4301108/4301109/04301148.pdf

http://www.cs.cmu.edu/~shawnb/SAEM-ICSE2002.pdf

References (Contd..) http://en.wikipedia.org/wiki/Information_security http://en.wikipedia.org/wiki/Legacy_system http://en.wikipedia.org/wiki/Common_Criteria http://images.google.com/imgres?imgurl=http://www.iso15408.net/pps18.gif&imgrefurl=http://www.iso15408.net/15408presentation.htm&h=405&w=542&sz=26&hl=en&start=11&um=1&tbnid=uhRTB9CFgMm4XM:&tbnh=99&tbnw=132&prev=/images%3Fq%3DThe%2Bcommon%2Bcriteria%26um%3D1%26hl%3Den%26

http://www.opengroup.org/architecture/togaf8-doc/arch/chap27.htmlsa%3DG

http://www.boldtech.com/images/cmmi.jpg http://www.sse-cmm.org/model/model.asp

Thank You !