Introduction to Security Principles
It is important to understand Security principles in order to manage the information security of any system. Security principles are the building blocks to identify the type of attack and solution for that.
These are the set of standards that are designed to minimize the vulnerability of systems and services to attackers who may obtain unauthorized access to sensitive data and misuse it.
Principles of Security
below is the list of security principles
The confidentiality principle of security states that only their intended sender and receiver should be able to access messages, if an unauthorized person gets access to this message then the confidentiality gets compromised. For example, suppose user X wants to send a message to user Y, and X does not want some else to get access to this message, or if it gets access, he/she does not come to know about the details. But if user Z somehow gets access to this secret message, which is not desired, then the purpose of this confidentiality gets fail. This leads to the interception. i.e. if user Z access the secret message or email sent by user X to Y without permission of X and Y, then it is called an interception. Interception causes loss of message confidentiality.
The authentication principle of security establishes proof of identity, it ensures that the origin of a document or electronic message is correctly identified. For example suppose user Z sends a message to user Y, however, the trouble is that user Z posed as user X while sending a message to user Y. How would user Y know that message comes from Z, not X. This leads to the fabrication attack. For example
The attacker can act as user X and sends fund transfer request( from X’ account to attacker account) to a bank, and the bank will transfer the amount as requested from X’s account to attacker, as banks think fund transfer request comes from user X. Fabrication is possible in absence of proper authentication mechanism.
The integrity principle of security states that the message should not be altered. In other words, we can say that, when the content of the message changes after the sender sends it, but before it reaches the intended receiver, we can say that integrity of the message is lost. For example, suppose user X sends a message to User Y, and attacker Z somehow gets access to this message during transmission and changes the content of the message and then sends it to user Y. User Y and User X does not have any knowledge that the content of the message was changed after user X send it to Y. This leads to a modification. Modification causes loss of message integrity.
Non-repudiation principle of security does not allow the sender of a message to refute the claim of not sending that message. There are some situations where the user sends a message and later on refuses that he/she had sent that message. For example, user X sends requests to the bank for fund transfer over the internet. After the bank performs fund transfer based on user X request, User X cannot claim that he/she never sent the fund transfer request to the bank. This principle of security defeats such possibilities of denying something after having done it.
5. Access control
Access control principles of security determine who should be able to access what. i.e. we can specify that what users can access which functions, for example, we can specify that user X can view the database record but cannot update them, but user Y can access both, can view record, and can update them. This principle is broadly related to two areas – role management and rule management where role management concentrates on the user side. i.e. which user can do what and rule management concentrate on the resources side i.e. which resource is available. Based on this matrix is prepared, which lists the user against q list of items they can access. The access control list is a subset of the access control matrix.
The availability principle of security states that resources should be available to the authorized person at all times. For example, because of the intentional action of another unauthorized user Z, an authorized user x may not be able to contact server Y, this leads to an interruption attack, interruption puts the availability of resources in danger. A real-life example of this could be, suppose attacker or unauthorized person Z tries to access the FB Account of user X, as User Z does not know the password of user X, he/she tries to log in to the X’s account using a random password. after attempting maxim limit for the password, if it is not correct then X’s account will be blocked, therefore because of unauthorized person Z, user X could not access his account.
7. Ethical and legal issues
Ethical issues in the security system are classified into the following categories
- Privacy: It deals with the individual’s right to access the personal information
- Accuracy: It deals with the responsibility of authentication, fidelity, and accuracy of information
- Property: It deals with the owner of the information
- Accessibility: It deals with what information does an organization has the right to collect.
while dealing with legal issues, we must remember that there is a hierarchy of regulatory bodies that govern the legality of information security, it can be classified into the following categories
This is a guide to Security Principles. Here we discuss the principle of security that will help you to understand the attacks in a better manner and also help you to think about the possible situation to tackle them. You may also have a look at the following articles to learn more –