ITCS 405:

Foundation of
Cybersecurity
WE EK04:INTRODUC TI ON TO C Y BERSECURITY
DR . LUBNA FAY EZ E LI YAN
COL LEGE OF I NFOR MATION T ECHNOLOGY
Week04: Outline
▪OSI Security Architecture
▪Attacks
▪Mechanisms
▪Services
▪Computer Security Strategy
▪Policies
▪Mechanisms
▪Assurance
▪Security Standards

2
 OSI

Security Security Security

3
Computer
Security
Strategy

4
Security Strategy- Main Aspects
1. Specification/policy:
▪ What is the security scheme supposed to do?
2. Implementation/mechanisms:
▪ How does it do it?
3. Correctness/assurance:
▪ Does it really work?

5
1- Security Strategy- Policy
▪Definition
▪Examples
▪Development considerations

6
Security Strategy- Security Policy
▪Definition:
▪a formal statement of rules and practices that specify or regulate how a
system or organization provides security services to protect sensitive
and critical system resources
▪Should be enforced by:
▪the system’s technical controls
▪management and operational controls

7
Security Strategy- Security Policy-
▪Examples:
▪Network security policy
▪Physical security policy
▪Disaster recovery and business continuity policy
▪Password policy
▪Access control policy
▪Data security policy

8
Security Policy- Examples- Password Policy
1. Long, random: a string of mixed-case letters, numbers, and symbols or
a passphrase of 4 –7 random words.
2. Should not contain the first/last name of the user
3. Use multifactor authentication (MFA)
4. Don’t allow password reuse

9
Security Policy- Examples- Password Policy
5. Keep a blocklist of bad or weak passwords
▪Passwords that have been breached
▪Dictionary words
▪Repetitive or sequential characters
▪Words associated with a specific context (e.g., the company name)

10
Security Policy- Examples- Access Control
Policy
▪Adopt a Zero Trust Policy
▪Operating on the principle of ‘never trust, always verify,’ this policy ensures
stringent checks and verifications for each login, irrespective of the user or
their location.
▪Adopt the Least Privilege
▪users should have only the minimal access necessary for their jobs. This
approach reduces the risk of unauthorized data access or data leaks
significantly.

11
Security Policy- Examples- Access Control
Policy
▪Separation of Duties (SoD)
▪dividing tasks and responsibilities among different users
▪prevents any single individual from having excessive control over sensitive
data or processes and reduces the risk of errors or fraud.
▪Conduct Regular Access Reviews
▪regular audits of access control systems
▪can help identify inactive users, outdated permissions, and other
potential vulnerabilities.

12
Security Policy- Examples- Data Security
Policy
▪Data Protection
▪Data Backup and Recovery
▪Data Retention Policy
▪Data Privacy Policy
▪Policy Review

13
Security Policy- Development
▪Main Considerations:
▪The value of the assets being protected
▪The vulnerabilities of the system
▪ Potential threats and the likelihood of attacks
▪Tradeoffs Considerations:
▪Ease of use versus security
▪Cost of security versus cost of failure and recovery

14
Security Policy- Development –Tradeoffs
Considerations -Ease of use versus security
▪Virtually all security measures involve some penalty in the area of ease of use.
▪Examples:
▪Access Control Mechanisms
▪ require users to remember passwords
▪ perform other access control actions
▪Firewalls and other network security
▪ may reduce available transmission capacity
▪ impose slow response time
▪Virus-checking software
▪ reduces available processing power
▪ introduces the possibility of system crashes or malfunctions
▪ → due to improper interaction between the security software and the operating
system.
15
Security Policy- Development –Tradeoffs
Considerations -Cost of security versus cost of failure
and recovery
▪direct monetary costs in implementing and maintaining security
measures.
▪All costs must be balanced against the cost of security failure and recovery if
certain security measures are lacking.
▪The cost of security failure and recovery must consider both:
▪the value of the assets being protected and the damages resulting from a
security violation, AND
▪the risk, which is the probability that a particular threat will exploit a
particular vulnerability with a particular harmful result

16
2. Security Strategy- Security Implementation
▪Includes a sequence of four actions:

Prevention Detection Response Recover

17
Security Implementation- Prevention
▪1. Prevention:
▪Considered for a wide range of threats in which prevention is a
reasonable goal.
▪Example
▪Transmission of encrypted data
▪→use of a secure encryption algorithm
▪→ set measures to prevent unauthorized access to encryption keys
▪→→ attacks on the confidentiality of the transmitted data will be
prevented.

18
Security Implementation- Detection
▪2. Detection:
▪In several cases, absolute protection is not feasible, but it is practical to
detect security attacks
▪Examples
▪intrusion detection systems
▪→designed to detect the presence of unauthorized individuals
logged onto a system
▪denial of service attack detection
▪→monitors the communications or processing resources that are
consumed so they are unavailable to legitimate users

19
Security Implementation- Response
▪3. Response:
▪if security mechanisms detect an ongoing attack, such as a denial-of-
service attack
▪→the system may be able to respond in such a way as to halt the
attack and prevent further damage.

20
Security Implementation- Recovery
▪4. Recovery:
▪Use of backup systems, so if data integrity is compromised, a prior
correct copy of the data can be reloaded.

21
3. Security Strategy- Assurance and Evaluation
▪Security consumers want to feel that the security infrastructure of their
systems meets security requirements and enforces security policies.
▪Assurance
▪→ confidence that the system operates such that the system’s security
policy is enforced.
▪“Does the security system design meet its requirements?”
▪“Does the security system implementation meet its specifications?”
▪Assurance is expressed as a degree of confidence, not formal proof that a
design or implementation is correct.
▪→ It is not possible to provide absolute proof.

22
Security Strategy- Assurance and Evaluation
▪Evaluation
▪is the process of examining a computer product or system with respect to
certain criteria.
▪→ Evaluation involves
▪Testing, formal analytic or mathematical techniques.

23
Security Standards
▪NIST: National Institute of Standards and Technology
▪U.S. federal agency, deals with measurement science, standards, and
technology related to U.S.
▪ITU-T: The International Telecommunication Union (ITU)
▪United Nations agency in which governments and the private sector
coordinate global telecom networks and services
▪ISO: The International Organization for Standardization (ISO) is a
worldwide federation of national standards bodies from more than 140
countries.

24
From Book- Key Terms

25
From Book- Key Terms 2

26