dido:public:ra:1.4_req:2_nonfunc:25_security
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
dido:public:ra:1.4_req:2_nonfunc:25_security [2021/08/13 12:43] murphy |
dido:public:ra:1.4_req:2_nonfunc:25_security [2022/04/12 15:20] (current) nick |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ===== About ===== | ===== About ===== | ||
| + | [[[[dido:public:ra:1.4_req:2_nonfunc:25_security | Return to Top]] | ||
| + | |||
| Security is not a single "thing" that can be added to a system. To be truly secure, the entire [[dido:public:ra:xapend:xapend.a_glossary:e:e2esolution]] needs to be secure and needs to be considered during the entire [[dido:public:ra:xapend:xapend.a_glossary:s:syslifecycle]]. As shown in Figure {{ref>layerSecure}}, a layered approach is used to help isolate the security needs. Each layer represents a portion of the [[dido:public:ra:xapend:xapend.a_glossary:i:infotech]] stack, including the people who use and have access to the IT stack. | Security is not a single "thing" that can be added to a system. To be truly secure, the entire [[dido:public:ra:xapend:xapend.a_glossary:e:e2esolution]] needs to be secure and needs to be considered during the entire [[dido:public:ra:xapend:xapend.a_glossary:s:syslifecycle]]. As shown in Figure {{ref>layerSecure}}, a layered approach is used to help isolate the security needs. Each layer represents a portion of the [[dido:public:ra:xapend:xapend.a_glossary:i:infotech]] stack, including the people who use and have access to the IT stack. | ||
| Line 16: | Line 18: | ||
| The physical security is concerned with preventing physical harm to the [[dido:public:ra:xapend:xapend.a_glossary:c:computerplaform]] (e.g., theft, fire, flooding, etc.), as well as, preventing access to the physical platform via "back doors" thereby allowing breaches by potentially malicious actors (e.g., using pluggable USB drives, adding wire sniffers to the network, or the internal threat posed by employees with access). | The physical security is concerned with preventing physical harm to the [[dido:public:ra:xapend:xapend.a_glossary:c:computerplaform]] (e.g., theft, fire, flooding, etc.), as well as, preventing access to the physical platform via "back doors" thereby allowing breaches by potentially malicious actors (e.g., using pluggable USB drives, adding wire sniffers to the network, or the internal threat posed by employees with access). | ||
| - | * **Note:** Even though the role of Phsyical Security has somewhat diminished with the acceptance of the [[dido:public:ra:xapend:xapend.a_glossary:z:zero-trust_model]] and [[dido:public:ra:xapend:xapend.a_glossary:z:zta]], it still plays a key role as the first line of defense, but by itself, it is not enough.[[dido:public:ra:xapend:xapend.b_stds:tech:nist:zta]] | + | * [[[dido:public:ra:xapend:xapend.a_glossary:c:coldboot_atack]] |
| + | * [[dido:public:ra:xapend:xapend.a_glossary:d:data_remanence]] | ||
| </WRAP>| | </WRAP>| | ||
| ^ [[dido:public:ra:xapend:xapend.a_glossary:d:datasecurity]] |<WRAP>Data security ensures that [[dido:public:ra:xapend:xapend.a_glossary:d:dataatrest]], [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_motion]], or [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]] remains intact (i.e., completeness, accuracy and consistency). For example, allowing incomplete data to be stored (i.e., date of a transaction, or //authorized by// fields). [[dido:public:ra:xapend:xapend.a_glossary:r:roundofferror]] can also affect the accuracy of the data. Modifying a bank account balance introduces inconsistencies that can be detected. | ^ [[dido:public:ra:xapend:xapend.a_glossary:d:datasecurity]] |<WRAP>Data security ensures that [[dido:public:ra:xapend:xapend.a_glossary:d:dataatrest]], [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_motion]], or [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]] remains intact (i.e., completeness, accuracy and consistency). For example, allowing incomplete data to be stored (i.e., date of a transaction, or //authorized by// fields). [[dido:public:ra:xapend:xapend.a_glossary:r:roundofferror]] can also affect the accuracy of the data. Modifying a bank account balance introduces inconsistencies that can be detected. | ||
| - | * **Note:** Formalization of [[dido:public:ra:xapend:xapend.a_glossary:z:zero-trust_model]] and [[dido:public:ra:xapend:xapend.a_glossary:z:zta]] has set a [[dido:public:ra:xapend:xapend.a_glossary:g:goal|goal]] of: //"preventing unauthorized access to data and services coupled with making the access control enforcement as granular as possible. "//[[dido:public:ra:xapend:xapend.b_stds:tech:nist:zta]] | + | * [[dido:public:ra:xapend:xapend.a_glossary:z:zero-trust_model]] |
| - | * **Note:** Another way to achieve data security while the data is in motion is to use [[dido:public:ra:xapend:xapend.a_glossary:t:tor]] which was designed by the U.S. Navy to protect sensitive documents [[https://whatis.techtarget.com/definition/TOR-third-generation-onion-routing]]. | + | * [[dido:public:ra:xapend:xapend.a_glossary:z:zta]] |
| + | * [[dido:public:ra:xapend:xapend.a_glossary:t:tor]] | ||
| </WRAP>| | </WRAP>| | ||
| ^ [[dido:public:ra:xapend:xapend.a_glossary:n:networksecurity]] |<WRAP> | ^ [[dido:public:ra:xapend:xapend.a_glossary:n:networksecurity]] |<WRAP> | ||
| Network security issues are generally the result of unaddressed network vulnerabilities. There are three main network categories for vulnerabilities: software, hardware, or organizational processes. Software and hardware that are not kept current are subject to malicious attacks by merely exploiting known vulnerabilities. Another issue for networks are social engineering attacks where people violate hardware and software protection [[dido:public:ra:xapend:xapend.a_glossary:p:policy|policy]] and procedures to compromise the data. The first line of defense for networks is the use of a [[dido:public:ra:xapend:xapend.a_glossary:h:hardwarefirewall]], which predominately protects the [[dido:public:ra:xapend:xapend.a_glossary:n:netnode | Network Nodes]] inside a [[dido:public:ra:xapend:xapend.a_glossary:l:lan]] from external Nodes on the [[dido:public:ra:xapend:xapend.a_glossary:i:internet]]. Another common tool is the use of [[dido:public:ra:xapend:xapend.a_glossary:a:acl | Networking Access Control Lists (ACLs)]]. | Network security issues are generally the result of unaddressed network vulnerabilities. There are three main network categories for vulnerabilities: software, hardware, or organizational processes. Software and hardware that are not kept current are subject to malicious attacks by merely exploiting known vulnerabilities. Another issue for networks are social engineering attacks where people violate hardware and software protection [[dido:public:ra:xapend:xapend.a_glossary:p:policy|policy]] and procedures to compromise the data. The first line of defense for networks is the use of a [[dido:public:ra:xapend:xapend.a_glossary:h:hardwarefirewall]], which predominately protects the [[dido:public:ra:xapend:xapend.a_glossary:n:netnode | Network Nodes]] inside a [[dido:public:ra:xapend:xapend.a_glossary:l:lan]] from external Nodes on the [[dido:public:ra:xapend:xapend.a_glossary:i:internet]]. Another common tool is the use of [[dido:public:ra:xapend:xapend.a_glossary:a:acl | Networking Access Control Lists (ACLs)]]. | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:h:hardwarefirewall]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:a:acl]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:h:https]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:s:ssl]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:t:tls]] | ||
| </WRAP>| | </WRAP>| | ||
| ^ [[dido:public:ra:xapend:xapend.a_glossary:p:platformsecurity]] |<WRAP> | ^ [[dido:public:ra:xapend:xapend.a_glossary:p:platformsecurity]] |<WRAP> | ||
| Platform security involves an attack on a [[dido:public:ra:xapend:xapend.a_glossary:c:computerplaform]] by the introduction of [[dido:public:ra:xapend:xapend.a_glossary:m:malware|malicious software]], the modification of [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol|access controls]] or configuration data, or having incorrectly configured settings (i.e., [[dido:public:ra:xapend:xapend.a_glossary:s:softwarefirewall]], [[dido:public:ra:xapend:xapend.a_glossary:a:acl]], [[dido:public:ra:xapend:xapend.a_glossary:f:fde]]). Many platforms can require authorization of peripheral functions such as geo-location services, [[dido:public:ra:xapend:xapend.a_glossary:b:bluetooth]], [[dido:public:ra:xapend:xapend.a_glossary:t:tcp|TCP]]/[[dido:public:ra:xapend:xapend.a_glossary:i:ip|IP]] networks, radio networks, and segmented portions of the disk storage such as photos. | Platform security involves an attack on a [[dido:public:ra:xapend:xapend.a_glossary:c:computerplaform]] by the introduction of [[dido:public:ra:xapend:xapend.a_glossary:m:malware|malicious software]], the modification of [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol|access controls]] or configuration data, or having incorrectly configured settings (i.e., [[dido:public:ra:xapend:xapend.a_glossary:s:softwarefirewall]], [[dido:public:ra:xapend:xapend.a_glossary:a:acl]], [[dido:public:ra:xapend:xapend.a_glossary:f:fde]]). Many platforms can require authorization of peripheral functions such as geo-location services, [[dido:public:ra:xapend:xapend.a_glossary:b:bluetooth]], [[dido:public:ra:xapend:xapend.a_glossary:t:tcp|TCP]]/[[dido:public:ra:xapend:xapend.a_glossary:i:ip|IP]] networks, radio networks, and segmented portions of the disk storage such as photos. | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:s:softwarefirewall]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:a:acl]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:f:fde]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:f:fme]] | ||
| + | * Authorization of [[dido:public:ra:xapend:xapend.a_glossary:p:peripheral_device]] such as: | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:g:geolocation]] services, | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:b:bluetooth]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:t:tcp]] networks | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:w:wireless]] | ||
| + | * segmented portions of the disk storage | ||
| </WRAP>| | </WRAP>| | ||
| ^ [[dido:public:ra:xapend:xapend.a_glossary:a:applicationsecurity]] |<WRAP> | ^ [[dido:public:ra:xapend:xapend.a_glossary:a:applicationsecurity]] |<WRAP> | ||
| [[dido:public:ra:xapend:xapend.a_glossary:a:applicationsecurity]] features include [[dido:public:ra:xapend:xapend.a_glossary:a:authentication|authentication]] of users using multi-factor authentication such as user id and [[dido:public:ra:xapend:xapend.a_glossary:p:password]], asking additional questions only the user knows the answer to, use of a [[dido:public:ra:xapend:xapend.a_glossary:o:otp]] to a known device, a fingerprint or face recognition. Application Security also includes authorization that maps the user's identity with a list of applications the user can access and even the [[dido:public:ra:xapend:xapend.a_glossary:p:privileges|privileges]] the user has within the application (read/write/delete, etc). Sometimes an [[dido:public:ra:xapend:xapend.a_glossary:a:application|application]] can encrypt information as it moves between the components of the system ([[dido:public:ra:xapend:xapend.a_glossary:c:cpu|CPU]], Memory, Disk, network, etc.). Another key aspect is the secure logging of activities occurring within an application (e.g., the user granted access, the user deletes information, user updates information, etc.) | [[dido:public:ra:xapend:xapend.a_glossary:a:applicationsecurity]] features include [[dido:public:ra:xapend:xapend.a_glossary:a:authentication|authentication]] of users using multi-factor authentication such as user id and [[dido:public:ra:xapend:xapend.a_glossary:p:password]], asking additional questions only the user knows the answer to, use of a [[dido:public:ra:xapend:xapend.a_glossary:o:otp]] to a known device, a fingerprint or face recognition. Application Security also includes authorization that maps the user's identity with a list of applications the user can access and even the [[dido:public:ra:xapend:xapend.a_glossary:p:privileges|privileges]] the user has within the application (read/write/delete, etc). Sometimes an [[dido:public:ra:xapend:xapend.a_glossary:a:application|application]] can encrypt information as it moves between the components of the system ([[dido:public:ra:xapend:xapend.a_glossary:c:cpu|CPU]], Memory, Disk, network, etc.). Another key aspect is the secure logging of activities occurring within an application (e.g., the user granted access, the user deletes information, user updates information, etc.) | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:a:authentication]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:m:mfa]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:o:otp]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:t:2fa]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:n:n-tier]] | ||
| </WRAP>| | </WRAP>| | ||
| ^ [[dido:public:ra:xapend:xapend.a_glossary:c:securityculture | Culture Security ]]|<WRAP> | ^ [[dido:public:ra:xapend:xapend.a_glossary:c:securityculture | Culture Security ]]|<WRAP> | ||
| Line 40: | Line 65: | ||
| [[https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations]] | [[https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations]] | ||
| )) | )) | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:n:nda]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:d:dlp]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:d:drp]] | ||
| + | * [[dido:public:ra:xapend:xapend.a_glossary:b:bia]] | ||
| </WRAP>| | </WRAP>| | ||
| </table> | </table> | ||
dido/public/ra/1.4_req/2_nonfunc/25_security.1628872981.txt.gz · Last modified: 2021/08/13 12:43 by murphy
