LM9 & LM15 Security

This menu system covers or serves both Chapter 9 Network Security and Chapter 15 Computer Security as Computer, Information and Network are inseparably integrated in my opinion.  Note Lecture Captures located at bottom of page

Introduction

First, security and trust… and privacy… and ethics… go hand in hand.  As continually repeated in class to everyone’s chagrin 🙂 …  security is the first thing we think of when evaluating or developing any resource!  Also note that while promoting security and privacy is ethical it has a large impact on trust and therefore commerce.

It has been said that security is 75% policy and 25% application.  As a user – I can choose to never connect my computer to the Internet or any network.  This would be a policy and intuitively we can see this policy would provide security assurance of my computer.  As an administrator – I could require that every computer in my domain has antivirus software installed and virus definitions are updated upon booting any system.  Increasingly I could require all hard drives be encrypted (Mac Filevault 2, Windows Bit Locker, etc.) and these are sound policies.  On a personal and even humorous level, I will not open emails from many people because who knows where their computers have been – :).

What are some other policies I might create and enforce as an administrator or simply apply as a user?

Information Assurance (from DoD)

Information Assurance (IA) is defined by Department of Defense Instruction (DoDI) 8500.01E as “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.

Identification

Identification is the claiming of an identity and you do this when you supply a username and password.  There are three levels of identification listed in decreasing order of security.

Something I am – e.g. Biometrics

Something I have (Possessed Object) – key or passcard

Something I know (Possessed Knowledge) – username/password

On this note, all CIS students must change their default passwords and please see this page’s Security & Privacy Tips submenu item for a nice password trick.  Students who need WIReD assistance or username/password information need to go to the Registrar’s Office.

Two-Factor – using 2 of the above identification classes

 

Authentication

The system’s process of verifying the identity of an individual, usually based on a username and password or in other words, the identification must be verified. From the system’s standpoint, the system checks the username and password provided by the user with its password files.

 

Non-repudiation

Non-repudiation goes beyond authentication as it establishes a verifiable link to an agent’s identity.  Consider that a simple user name and password can be input by someone other than the individual. Digital certificates and signatures issued by a certificate authority are used for this purpose and this is what is necessary for legal documents and in court.

 

Authorization

First, please note that authentication introduced above is distinct from authorization. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authorization is the process of giving individuals access to system objects based on their identity.

 

Confidentiality

Network confidentiality means that  network traffic sniffed at the packet level cannot be read and is accomplished through encryption. Confidentiality may be thought of as secrecy. Note: Data or Information Confidentiality is related to authorization in that it limits access to certain types of information.

 

Integrity

Integrity means that messages or data have not been tampered with. This involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. As a result this is an issue for both Internet communications, Web pages and personal and corporate data.

Availability

Availability ensures the ability of end users to access the information. This is ensured by rigorously maintaining and ensuring the proper operation of networks (also sufficient bandwidth), hardware and software (i.e. security updates).

Responsibility

Moral, legal, or mental accountability.  Note that you may delegate authority but not responsibility.

 

Chapter 9 Textbook Material Lecture Video

 

There is a lot of great content in the submenu.  I recommend you start with privacy tips and continue on in sub-menu.  If you know of any emergent Security Tech please send it to me for inclusion on the Security Tech page.

Lastly, here is HVCC CIS grad Gina Chapman working as the Senior Director for the Center for Internet Security

Leave a Reply