Info Assurance & Security Lecture 3,4
Threats and Vulnerbilities
strategies: specific goal we want to achieve
principle: high level
- information
telephone, records
Information are not just computer information
- Threat is a potential occurrence that can have an undesirable effect on the system.
- A vulnerability is a weakness that makes a threat possibily occur, and there is not way to ensure no vulnerability
Four categories of threats
- disclosure: Unauthorized access to information
- snooping
- deception: Acceptance of false data
- altenation
- spoofing
- denial of receipt ( when we sent people a email, how to make sure we are sending to the right person? Using public and private keysg)
Security principles
Auditability and Accountability
- Auditability is the ability to verify the activities of a control
- Accountability is to hold Individual answeable responsible or liable
Access Control
- Separation of functions - No one owns all process, control all security features, or process unrestricted access to all information i.e. (CEO has the right to know everything, but checker need to write record)
- Role-based access control (RBAC)
- Asscoiate role with each individual
- Individual needs to be authentication
- Situation-aware c
- Confidentiality
- confidentiality principles include:
- need to know: An individual should possess combination of clearance, privilege of access, and need-to-know,before being authorized access
- Data seperation
- Compartmentalization: seperate tasks
- Classification: Assign labels to information to identify the appropriate level of protection, handling and control the information
- Corporation: public use - registered- confidential
- US Goverment - Official use only - top secret
- Encryption
- A reversible process of transforming plain text
- confidentiality principles include: