/ _ \ \_\(_)/_/ _//"\\_ more on JOHLEM.net / \ 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 CHEATSHEET SECURITY FUNDAMENTALS AND PRINCIPLES ==================================== Security isn't one-size-fits-all; understanding the adversary is crucial. Protection mechanisms must match the threat level. Perfect security is impossible; we aim to improve the security posture and balance protection elements. THE SECURITY TRIAD (CIA) ========================= 1. Confidentiality: Ensure only authorized individuals can access data. 2. Integrity: Ensure data is unaltered and detect any changes. 3. Availability: Ensure systems/services are accessible when needed. Examples: --------- - Online Shopping: * C: Prevent leaks of credit card info. * I: Protect order details from tampering. * A: Website must stay accessible. - Patient Records: * C: Maintain legal confidentiality of medical records. * I: Prevent life-threatening changes to patient data. * A: Ensure system access during consultations. CIA Opposite: DAD Triad ----------------------- - Disclosure: Breaches confidentiality. - Alteration: Breaches integrity. - Destruction/Denial: Breaches availability. BEYOND CIA: AUTHENTICITY & NONREPUDIATION ========================================= - Authenticity: Data is genuine and from a valid source. - Nonrepudiation: Sender cannot deny being the data's source. PARKERIAN HEXAD: Extended Security Elements =========================================== 1. Confidentiality (covered in CIA). 2. Integrity (covered in CIA). 3. Availability (covered in CIA). 4. Utility: Data must be in a usable form (e.g., decryptable). 5. Possession: Prevent unauthorized copying/taking. 6. Authenticity: Ensure data originates from the intended source. SECURITY MODELS =============== 1. **Bell-LaPadula Model** (Confidentiality): - No Read Up (Simple Security Property). - No Write Down (Star Security Property). - Discretionary Access (Access Matrix). 2. **Biba Model** (Integrity): - No Read Down (Simple Integrity Property). - No Write Up (Star Integrity Property). 3. **Clark-Wilson Model** (Integrity): - CDI: Constrained Data Items (preserve integrity). - UDI: Unconstrained Data Items. - TP: Transformation Procedures (read/write data). - IVP: Integrity Verification Procedures. SECURITY PRINCIPLES =================== 1. Defence-in-Depth: Multi-layered security (e.g., locks, cameras). 2. Least Privilege: Grant only necessary access to users/systems. 3. Zero Trust: Assume everything is adversarial; authenticate every access. 4. Trust but Verify: Verify actions of trusted entities via logging/audits. 5. Attack Surface Minimization: Reduce vulnerabilities (disable unused services). 6. Centralized Parameter Validation: Validate inputs securely in one place. 7. Centralized Security Services: Use centralized servers (e.g., authentication). 8. Redundancy: Add fallback mechanisms (e.g., RAID, backup power supplies). 9. Error and Exception Handling: Design fail-safe systems (e.g., crash blocks traffic). 10. Virtualization: Secure sandboxing via shared hardware. ISO/IEC 19249: Architectural & Design Principles ================================================ Architectural: 1. Domain Separation: Group components with shared attributes. 2. Layering: Implement security policies across abstract layers (e.g., OSI model). 3. Encapsulation: Hide implementation details using APIs. 4. Redundancy: Ensure availability/integrity (e.g., redundant drives). 5. Virtualization: Share hardware with isolated security boundaries. Design: 1. Least Privilege: Access only what is required for tasks. 2. Attack Surface Minimization: Disable unnecessary system components. 3. Centralized Parameter Validation: Check inputs via a secure central system. 4. Centralized Security Services: Centralize critical services (e.g., authentication). 5. Prepare for Errors: Handle failures securely and avoid information leaks. SHARED RESPONSIBILITY IN CLOUD SECURITY ======================================= - IaaS: User manages OS and applications. Provider handles hardware/network. - SaaS: Provider manages infrastructure and software. User focuses on usage security. Key: Both must fulfill roles for secure cloud environments. DEFINITIONS: Vulnerability, Threat, and Risk ============================================ - Vulnerability: Weakness in a system (e.g., glass windows). - Threat: Danger exploiting a vulnerability (e.g., a break-in). - Risk: Likelihood of threat occurrence and its business impact. CONCLUSION ========== Understanding CIA, DAD, and additional principles is essential for balanced security. Use models like Bell-LaPadula, Biba, and Clark-Wilson for specific goals. Principles such as Defence-in-Depth and Zero Trust guide effective security implementations. In cloud security, shared responsibility ensures coverage across all levels.