Description
Question(s): In response to your peers, connect their solutions to the application of the CIA triad or Fundamental Security Design Principles (FSDPs). For reference, refer to the CIA Triad and Fundamental Security Design Principles document. THE CIA TRIAD AND FUNDAMENTAL SECURITY DESIGN PRINCIPLES DOCUMENT IS ATTACHED BELOW
PEER POST # 1
The question, “If these companies had such a hard time getting it perfect, what chance does anyone else have?” raises a critical issue regarding the security of IP routing protocols. It acknowledges the challenges faced by large technology companies in ensuring the perfect security of these protocols. The fact that this question was posed in 2001 and that many of the identified exploits still exist highlights the persistent and complex nature of security vulnerabilities in IP routing. One key aspect to consider is that the landscape of network security and IP routing has evolved since 2001, and security measures have improved. However, it’s true that IP routing protocols continue to face security threats. The question points out that simply throwing money at the problem hasn’t been the ultimate solution.
To address this issue effectively, it’s important to consider a multifaceted approach:
Security by Design: Building security into the core of routing protocols from the outset is crucial. This involves developing protocols with security in mind, rather than treating it as an afterthought. Creating protocols that are inherently secure reduces the need for constant patching and updates.
Standardization and Best Practices: Encourage the adoption of security best practices and standards within the industry. Standardization bodies and organizations can play a critical role in defining and promoting security standards for IP routing. This can help ensure that all vendors and network operators adhere to a common set of security principles.
Education and Training: Invest in training for network administrators and engineers. A well-informed and skilled workforce is essential to the security of any network. Ensuring that personnel understand the latest security threats and best practices is crucial.
Imagine you have a team of people in charge of protecting your computer network. To do their job well, they need to know a lot about how to keep the network safe. Education and training for network administrators and engineers are like sending them to school to learn how to defend the network from cyber threats. They study the latest security threats and best practices, just like doctors study new medical techniques. This helps them stay up-to-date and well-prepared to protect the network. By following these multifaceted approaches, organizations and the industry as a whole can better address the persistent and complex security challenges associated with IP routing protocols. This comprehensive strategy emphasizes proactive security practices, collaboration, and adaptability to mitigate risks effectively.
PEER POST # 2
Cyber security and risk are some of my favorite topics to explore. While it is true that there are no perfect solutions to combat cyber exploits, there are cost-effective measures that can be put in place to make systems more secure. It is not always complicated, high-cost solutions that work best, often it is simple security measures that are often overlooked. Two of these measures are human factors and network security, which would be my main focus in trying to implement a cost-effective solution.
According to CYDEF, “Humans are a significant factor contributing to data breaches. While cybersecurity is usually treated as a technology problem, 88% of data breaches are the result of human error” (CYDEF, 2021). Human factors focus on topics like spreading cyber awareness to individuals, changing the mentality of management, and making sure principles like least privilege are being followed. It is important to make sure individuals are completing cyber awareness training and are not penalized for self-reporting a mistake. Management sometimes can hyperfocus on income-producing work products. Trying to focus employees to meet high metric scores can make them more susceptible to exploits like phishing attacks. It can also cause upper management to not support the technological side of the business. Principles like least privilege are focused on individuals not having more access than necessary. This particularly becomes a challenge as employees are with companies for a while because as they move around different departments access is often added without prior access being removed. Reviewing access management logs and using active directory software can often help keep this practice from being disregarded.
Network security is a very cost-effective way to approach security. Whether it is port security, IP routing, or configuration. Port security converges network and physical security. It is a combination of making sure insecure and unused ports are disabled, and physically making sure ports cannot be accessed by unauthorized individuals. An example of this is the North American casino data breach where hackers accessed the network through a temperature-monitoring IoT device in a fish tank (Larson, 2017). IP routing is critical because it allows you to control traffic to and from your system. It allows you to create whitelists so that individuals can only access a limited number of safe sites and controls where individuals are accessing data. So, for example, if it detects your system is trying to log in from Asia it can quarantine that system until it confirms if you are overseas. Network configurations also play a significant role. Making sure you segregate your network and do not have your intranet accessible in public areas like cafeterias or waiting rooms can help keep your systems secure. Making sure your network distance is limited to the area of your building and is configured with a private network name can also help keep it from being detected.
Unformatted Attachment Preview
CIA Triad and Fundamental Security Design Principles
The terms listed below are essential in the field of cybersecurity and will be a topic of conversation and
application throughout the program. It is therefore important for you to familiarize yourself with these
terms and their definitions.
Note that the CIA triad is sometimes referred to as the tenets of cybersecurity. The Fundamental
Security Design Principles are sometimes called fundamental design principles, cybersecurity first
principles, the cornerstone of cybersecurity, and so on.
CIA Triad
Information that is secure satisfies three main tenets, or properties, of information. If you can ensure
these three tenets, you satisfy the requirements of secure information (Kim & Solomon, 2013).
Confidentiality
Only authorized users can view information (Kim & Solomon, 2013).
Integrity
Only authorized users can change information (Kim & Solomon, 2013).
Availability
Information is accessible by authorized users whenever they request the information (Kim &
Solomon, 2013).
Fundamental Security Design Principles
These principles offer a balance between aspirational (and therefore unobtainable) “perfect security,”
and the pragmatic need to get things done. Although each of the principles can powerfully affect
security, the principles have their full effect only when used in concert and throughout an organization.
These principles are a powerful mental tool for approaching security: one that doesn’t age out of
usefulness or apply only to a few specific technologies and contexts; one that can be used for
architecture, postmortem analysis, operations, and communication. The principles are ultimately only
one piece in the security practitioner’s toolkit, but they are a flexible piece that will serve different roles
for different people (Sons, Russell, & Jackson, 2017).
Abstraction
Removal of clutter. Only the needed information is provided for an object-oriented mentality.
This is a way to allow adversaries to see only a minimal amount of information while securing
other aspects of the model (Tjaden, 2015).
Complete Mediation
All accesses to objects should be checked to ensure that they are allowed (Bishop, 2003).
Encapsulation
The ability to only use a resource as it was designed to be used. This may mean that a piece of
equipment is not being used maliciously or in a way that could be detrimental to the overall
system (Tjaden, 2015).
Fail-Safe Defaults / Fail Secure
The theory that unless a subject is given explicit access to an object, it should be denied access
to that object (Bishop, 2003).
Information Hiding
Users having an interface to interact with the system behind the scenes. The user should not be
worried about the nuts and bolts behind the scenes, only the modes of access presented to
them. This topic is also integrated with object-oriented programming (Tjaden, 2015).
Isolation
Individual processes or tasks running in their own space. This ensures that the processes will
have enough resources to run and will not interfere with other processes running (Tjaden,
2015).
Layering
Having multiple forms of security. This can be from hardware or software, but it involves a series
of checks and balances to make sure the entire system is secured from multiple perspectives
(Tjaden, 2015).
Least Astonishment (Psychological Acceptability)
Security mechanisms should not make the resource more difficult to access than when security
mechanisms were not present (Bishop, 2003).
Least Privilege
The assurance that an entity only has the minimal amount of privileges to perform their duties.
There is no extension of privileges to senior people just because they are senior; if they don’t
need the permissions to perform their normal everyday tasks, then they don’t receive higher
privileges (Tjaden, 2015).
Minimization of Implementation (Least Common Mechanism)
Mechanisms used to access resources should not be shared (Bishop, 2003).
Minimize Trust Surface (Reluctance to Trust)
The ability to reduce the degree to which the user or a component depends on the reliability of
another component (Bishop, 2003).
Modularity
The breaking down of larger tasks into smaller, more manageable tasks. This smaller task may
be reused, and therefore the process can be repurposed time and time again (Tjaden, 2015).
Open Design
The security of a mechanism should not depend on the secrecy of its design or implementation
(Bishop, 2003).
Separation (of Domains)
The division of power within a system. No one part of a system should have complete control
over another part. There should always be a system of checks and balances that leverage the
ability for parts of the system to work together (Tjaden, 2015).
Simplicity (of Design)
The straightforward layout of the product. The ability to reduce the learning curve when
analyzing and understanding the hardware or software involved in the information system
(Tjaden, 2015).
Trust Relationships
A logical connection that is established between directory domains so that the rights and
privileges of users and devices in one domain are shared with the other (PC Magazine, 2018).
Usability
How easy hardware or software is to operate, especially for the first-time user. Considering how
difficult applications and websites can be to navigate through, one would wish that all designers
took usability into greater consideration than they do (PC Magazine, 2018).
References
Bishop, M. (2003). Computer security: Art and science. Boston, MA: Addison-Wesley Professional.
Kim, D., & Solomon, M. G. (2013). Fundamentals of information systems security (2nd ed.). Burlington,
MA: Jones & Bartlett Publishers.
PC Magazine. (2018). Encyclopedia. Retrieved from https://www.pcmag.com/encyclopedia
Sons, S., Russell, S., & Jackson, C. (2017). Security from first principles. Sebastopol, CA: O’Reilly Media,
Inc.
Tjaden, B. C. (2015). Appendix 1: Cybersecurity first principles. Retrieved from
https://users.cs.jmu.edu/tjadenbc/Bootcamp/0-GenCyber-First-Principles.pdf
Purchase answer to see full
attachment