Lecture 2
Fundamental Security Design Principles
Economy of Mechanism: This principle suggests that the design of security measures should be kept
simple. Simplicity makes it easier to implement and verify the security mechanisms. A simpler design is
generally less prone to errors, easier to understand, and more straightforward to test. It also tends to
have fewer vulnerabilities because there is less complexity to exploit.
Fail-Safe Default or Fail Securely: Access decisions in a system should be based on permissions, and the
default state should be one of lack of access. This means that if something goes wrong or is not explicitly
allowed, the system defaults to a secure state of denying access. By defaulting to a secure state, this
principle minimizes the risk of unauthorized access. It ensures that even if a specific permission is not
explicitly set, the system remains secure.
Complete Mediation: According to this principle, every access attempt should be checked against an
access control system. Complete mediation helps prevent unauthorized access by thoroughly scrutinizing
every attempt. It ensures that access is granted only to those who have the necessary permissions.
Open Design: An open design means that the security architecture and components should not be kept
secret. For example, encryption algorithms and security protocols should be open and transparent rather
than hidden.
Isolation:
Public Access Isolation: Critical resources, such as sensitive information or systems, should be separated
from public access.
User Files Isolation: Individual user files should be kept separate from one another unless intentional
sharing is desired. This prevents unintended access to or modification of another user's data.
Security Mechanism Isolation: Security mechanisms themselves should be isolated to prevent
unauthorized access. This means that the tools and systems responsible for enforcing security should be
protected and not easily accessible to potential attackers
Encapsulation: This principle is similar to encapsulation in object-oriented programming. It involves
hiding the internal structures and details of a system's components from the outside. In the context of
security, it means that the internal workings of security mechanisms should not be easily visible or
accessible to unauthorized entities.
Modularity: Security mechanisms and features should be designed in a modular fashion. This means
breaking down the overall security system into smaller, independent modules or components that can
be managed and updated separately.
�Layering (Defense in Depth):
This principle involves the use of multiple, overlapping protection approaches to enhance security.
Instead of relying on a single layer of defense, multiple layers are implemented, making it more
challenging for attackers to bypass all security measures.
Least Astonishment: According to this principle, a program or interface should always respond in a way
that is least likely to astonish or surprise a user. The behavior of a system should align with user
expectations to minimize confusion or unexpected outcomes.
Zero Trust: Zero Trust is a security model that assumes no entity, whether inside or outside the network,
can be trusted by default. Every access request and interaction is verified and authenticated, regardless
of the user's location or network connection.
Privacy by Design: Privacy by Design is an approach where privacy considerations are integrated into the
design and architecture of systems, processes, and products from the outset. It aims to embed privacy
features and protections into the core of the system.
Trust but Verify: This principle emphasizes the idea of trusting entities initially but verifying their actions
and permissions continuously. It is often associated with access control and user authentication
mechanisms.
Shared Responsibility: In a shared responsibility model, security responsibilities are distributed among
different entities, such as cloud service providers and users. Each party has a role in ensuring the overall
security of the system or service
Separation of Privilege: This principle advocates that multiple privileges should be required to achieve
access or complete a specific task. It adds an extra layer of protection by ensuring that no single user or
process has all the necessary privileges to compromise security.
Separation of Duties (SoD): Separation of Duties involves dividing tasks and permissions among multiple
individuals or roles to prevent conflicts of interest and potential abuse of power. It ensures that no single
user has complete control over a critical process or function.
Least Privilege: Least privilege dictates that every user or process should have the minimum level of
privilege necessary to perform a specific task. Users should only have access to the resources and
permissions required for their job roles.
Least Common Mechanism: This principle recommends minimizing the functions shared by different
users or processes. The idea is to reduce the likelihood of conflicts, improve security, and avoid situations
like deadlocks.
Psychological Acceptability: Security mechanisms should not unduly interfere with the work of users.
This principle acknowledges the importance of designing security measures that are user-friendly and do
not disrupt the normal workflow.
Defense in Depth: Defense in Depth is an information security strategy that involves integrating people,
technology, and operational capabilities to establish multiple barriers across various layers and missions
within an organization. The idea is to apply multiple layers of defense, making it more challenging for
attackers to breach the system.
�Secure Defaults: The principle of Secure Defaults involves setting up systems, applications, or networks
with security measures in their default configurations. This means that, from the start, the system is
configured to be secure, and users or administrators must make intentional changes to reduce security.
Fail Securely: Fail Securely, or Fail-Safe, is a concept where a system is designed to enter a secure or safe
state in the event of a failure or unexpected condition. It emphasizes that security mechanisms should
not break down in the face of errors but rather revert to a secure mode.
� The Bell-La Padula Model
The Bell-Lapadula model primarily focuses on enforcing confidentiality in access control. The Bell-
LaPadula model is an information multilevel security system that defines a set of rules and regulations
for handling classified information. It is called a multilevel security system because it supports and
defines multiple security levels (e.g. Top Secret, Secret, Confidential). It was developed in the 1970s and
is still used in some forms today by government agencies and organizations
The model works by granting access to pieces of data (called objects) on a strictly need to know basis.
Three Main Rules in the Bell-Lapadula Model:
SIMPLE security RULE: Simple security Rule states that the Subject can only Read the files on the Same
Layer of Secrecy and the Lower Layer of Secrecy but not the Upper Layer of Secrecy, due to which we call
this rule as NO READ-UP
The *-property rule: The *-property rule states that the Subject can only Write the files on the Same
Layer of Secrecy and the Upper Layer of Secrecy but not the Lower Layer of Secrecy, due to which we call
this rule as NO WRITE-DOWN
STRONG STAR CONFIDENTIALITY RULE: Strong Star Confidentiality Rule is highly secured and strongest
which states that the Subject can Read and Write the files on the Same Layer of Secrecy only and not the
Upper Layer of Secrecy or the Lower Layer of Secrecy, due to which we call this rule as NO READ WRITE
UP DOWN
� Biba Model
This Model was invented by Scientist Kenneth. J. Biba. Thus, this model is called Biba Model. This is used
to maintain the Integrity of Security. Here, the classification of Subjects (Users) and Objects(Files) are
organized in a non-discretionary fashion, with respect to different layers of secrecy. This works the exact
reverse of the Bell-LaPadula Model.
It has mainly 3 Rules:
SIMPLE INTEGRITY RULE: Simple Integrity Rule states that the Subject can only Read the files on the
Same Layer of Secrecy and the Upper Layer of Secrecy but not the Lower Layer of Secrecy, due to which
we call this rule as NO READ DOWN
STAR INTEGRITY RULE: Star Integrity Rule states that the Subject can only Write the files on the Same
Layer of Secrecy and the Lower Layer of Secrecy but not the Upper Layer of Secrecy, due to which we call
this rule as NO WRITE-UP
� Clarke Wilson Security Model
It takes different approaches to protecting the integrity of information.
SUBJECT: It is any user who is requesting Data Items.
CONSTRAINED DATA ITEMS(CDI): It cannot be accessed directly by the Subject. These need to be
accessed via Clarke Wilson Security Model
UNCONSTRAINED DATA ITEMS(UDI): It can be accessed directly by the Subject.
The Components of Clarke Wilson Security Model
TRANSFORMATION PROCESS: Here, the Subject’s request to access the Constrained Data Items is
handled by the Transformation process which then converts it into permissions and then forwards it to
Integration Verification Process
INTEGRATION VERIFICATION PROCESS: The Integration Verification Process will perform Authentication
and Authorization. If that is successful, then the Subject is given access to Constrained Data Items.
� Noninterference Model
The Noninterference Model is a security model implemented to ensure that actions or activities
occurring at a higher security level do not impact or interfere with activities at a lower security level.
Unlike some other security models that focus on the flow of data, the Noninterference Model is
concerned with what a subject knows about the state of the system.
Preservation of Separation:
The primary goal of the Noninterference Model is to maintain the separation between different security
levels.
Focus on Knowledge:
Unlike models that concentrate on data flow, the Noninterference Model emphasizes the knowledge
that a subject gain from observing the system.
Shared Resources:
Analyzes shared resources to prevent information passing from higher to lower security levels.
Prevention of Information Leakage:
Noninterference aims to prevent unintended information leakage between different security levels. It
seeks to ensure that actions or observations at a higher level do not unintentionally provide knowledge
about activities at a lower level.
Brewer and Nash Model (Chinese Wall Model)
The Brewer and Nash Model, often referred to as the Chinese Wall model, focuses on maintaining
separation between datasets to prevent potential conflicts of interest among users.
Writing and Reading Restriction:
A subject can write to an object only if they cannot read another object in a different dataset.
Dynamic Access Controls:
Designed to provide dynamic access controls that can change based on a user's previous actions.
Protection Against Conflicts of Interest:
Main goal is to safeguard against conflicts of interest arising from users' access attempts.
� Attack Surface:
Definition: The attack surface refers to the sum of all possible points where an unauthorized user
(attacker) can try to enter a system.
Components:
Open ports: Points of communication between a device and a network.
Services outside a firewall: Vulnerabilities in services that are accessible from outside the
protective firewall.
Employees with access to sensitive info: Human elements that may inadvertently or maliciously
compromise security.
Categories of Attack Surface:
Network Attack Surface: Relates to vulnerabilities in network infrastructure.
Software Attack Surface: Involves vulnerabilities in software applications and systems.
Human Attack Surface: Includes vulnerabilities related to human actions, such as social engineering.
Attack Trees:
Definition: Attack trees are hierarchical structures representing a set of potential vulnerabilities and
attack paths in a system.
Objective: Help security analysts understand and analyze potential attack patterns. Information on attack
patterns may be obtained from sources like CERT or similar forums.
� Computer security strategy
Policy (Specs):
Assets and their values: Identify the assets that need protection (e.g., data, systems, intellectual
property) and assess their importance to the organization.
Potential threats: Analyze and understand potential threats that could exploit vulnerabilities and
compromise the security of assets.
Ease of use vs security: Strike a balance between user convenience and robust security
measures. Policies should consider the usability of security measures to ensure they are practical
and not overly burdensome for users.
Cost of security vs cost of failure/recovery: Evaluate the financial implications of implementing
security measures versus the potential costs associated with security breaches, failures, or the
recovery process.
Implementation/Mechanism:
Prevention: Implement measures to proactively prevent security incidents. This may involve
firewalls, access controls, encryption, and other preventive technologies.
Detection: Employ tools and mechanisms to detect security incidents as they occur. Intrusion
detection systems, log analysis, and anomaly detection are examples of detection mechanisms.
Response: Develop a well-defined plan for responding to security incidents. This includes
incident response procedures, communication plans, and coordination with relevant
stakeholders.
Recovery: Establish procedures for recovering from security incidents. This involves restoring
affected systems, analyzing the incident for lessons learned, and implementing improvements to
prevent similar incidents in the future.
Correctness/Assurance:
Validation/Review: Regularly validate and review the effectiveness of security measures. This
involves conducting security audits, penetration testing, and other assessments to ensure that
security controls are working as intended.
Assurance: Provide assurance that the security measures are reliable and trustworthy. This may
involve certifications, adherence to security standards, and continuous monitoring to maintain a
high level of confidence in the security posture.
