▶ 2.6 Selecting Security Controls
When we implement security requirements, our goal is to provide security controls to cover those requirements. The security controls are the features of the system that implement the requirements. In general, security controls fall into three categories:
Preventative: These controls directly block actions that violate security requirements. Most designers prefer to use these controls because they directly implement requirements.
Detective: These controls detect violations of requirements so that administrators, security officers, auditors, or investigators can see them. Some security techniques simply detect problems but can’t prevent them.
Corrective: These controls take measures to help restore the system. Truly corrective controls are rare in information security.
To simplify the job of analyzing security, we classify controls according to the six categories listed in BOX 2.2.
We describe each control with the following information:
■ Control number—like the requirements, we number each security control. A complicated implementation might use outline numbering so that statements are arranged into sections and subsections.
■ Control category—associates each control with one of the six categories shown in Box 2.2.
■ Description of the control—what it is and how we configure it to fulfill the requirement’s objective.
■ Relationship to requirements—the corresponding numbered requirements that this control helps enforce.
We show that the list of requirements covers the system’s risks by cross-referencing the requirements to the risk statements. When we build our list of security controls, we do the same thing: We cross-reference each control to the requirements it implements.
In Alice’s case, we don’t need rocket science, sophisticated technology, or software engineering to implement her security requirements. We use a straightforward collection of physical, logical, and procedural controls, listed in TABLE 2.3. Note that the controls aren’t listed in any particular order. They are not applied sequentially; they all apply at all times. The control numbers just allow us to keep track of them.
TABLE 2.3 Alice’s Security Controls |
|---|
|
To verify that the design implements the requirements, we review its coverage the same way we compared the requirements to the risks. Each requirement must be addressed by at least one security control. We also need to assess the completeness with which the controls enforce the requirements. This is the point where vulnerabilities often arise in otherwise well-designed systems: at places where security requirements are only partially fulfilled.
Alice’s Backup Procedure
Backup procedures pose a real challenge for many people. A successful procedure requires discipline. Alice uses a simple, partly automated approach to ensure that she’s never lost more than a few days’ worth of work. She uses conventional backup software once a month to make a complete copy of the laptop’s hard drive. She saves the backup in her backup location. She also uses file synchronization software on a daily basis to keep a copy of her working files on a USB drive.
When she runs the synchronization software, it tries to keep all files in two folders “in sync.” One folder is on the computer and one is on the USB drive. When Alice runs the program, it compares the files in the two folders. If a file in one folder is newer than the copy in the other, it replaces the older file with the newer one. Thus, if Alice updates an advertising brochure on her laptop and synchronizes it with her USB drive, the drive receives the newer copy of the paper.
Alice then keeps an extra copy of her work files by switching between two separate USB drives. One drive resides in her desk drawer at all times and she carries the other with her laptop; she switches the drives every day or two.
By switching the drives, she saves recent files in her desk. When she plugs the USB drive into her laptop, she runs the application to “sync up” her older USB drive. This replaces the older files with the latest ones. If her laptop crashes or is stolen, she hasn’t lost her recent work, even if she loses one of the USB drives along with it.
There are several application programs that synchronize files. Microsoft provides its “SyncToy” application for free on its website. There are also free and low-cost synchronization programs for Macintosh and Linux systems. Another approach is to use “cloud” backup services that synchronize desktop data with storage on the internet. There are many such services, including Dropbox, Box, Google Drive, and Microsoft OneDrive.
Security Services
We deploy security controls to preserve the confidentiality, integrity, availability (CIA) properties. Some experts describe controls in terms of five security services.
Confidentiality: services that restrict information distribution to people explicitly authorized to receive it.
Integrity: services to protect information against unauthorized modification or destruction. These services may be associated with notions of the relative trustworthiness of different system components.
Availability: services to ensure that information is reliably available. Traditionally these services were not considered security functions because they included power supply reliability or disaster recovery.
Authentication: services that reliably establish the identity of an entity that provides information or commands to the system.
Nonrepudiation: services that reliably indicate the origin of data or indicate that an intended recipient has definitely received a particular message.