Security in Computing - Assignment Example

Information Security Student’ Name: Instructor: Subject: Date: 1. Confidentiality, integrity and availability (CIA) are the major principles which need to be considered while designing security policies in order counteract security threats for instance interruption, interception, fabrication and modification. Another aspect of consideration is eliminating the vulnerabilities of the computer system. With regard to interception, an unauthorised individual, program, or computer system is in better position to access information asset or resource. To control such there needs to be a robust information security system that has level of integrity and confidentiality thus making data/information unavailable to illegitimate users. On the other hand, if and when a computer system is interrupted by a malicious program, it becomes unusable or unavailable. Besides, unauthorised user may install such malicious programs into the computer system remotely. Conversely, tampering with the information asset or resource amounts to modification which may be done changing the extensions or codes of the database files. On the other hand, an illegitimate user may create counterfeit objects within the computer system which looks similar to the original programs (Pfleeger, 2006). To achieve Confidentiality, integrity and availability, it is required to have or institute access controls so as to avoid unauthorized access to information resources and/or systems. Such access controls comes in handy to achieve confidentiality or privacy (preventing unauthorized disclosure or access to information) and integrity (preventing unauthorized modification of information). Generally, access controls systems determine how a particular process (subject) may access an object (a resource). According to Gollmann (2010), access controls encompasses; instituting security policies (whereby principals are allowed to access specific resources), authentication of information accessed or supplied with an access request, and evaluation of access request in regard to a given security policy. Access controls may be either discretionary access controls and/or mandatory access controls. As such they stipulate whether an individual or a system running under a given user identity is allowed/authorized to access a particular resource. In such case, unnecessary interruption, interception, modification and fabrication of information or data is avoided. 2. DES as a standard has been adopted by national Bureau of Standards in USA and it is applied in many software and hardware systems. Because of the repeated application of permutation and substitution, DES algorithm is very strong when used in encrypting data. With reference to Shannon’s cryptographic standards, DES of logical operations and standard arithmetic on up to 64-bit numbers, it can be comfortably applied in more recent computers. On the other hand, DES complex and this does not limit its implementation on single-purpose chips. Besides, as Shannon had identified that by applying two weak ciphers together (product) would result in a more secure cipher, DES complies to this splitting data blocks into two, scrambling each half independently, combining the key with one half and swapping the other two halves. For the Advanced Encryption Standard (AES) it was an improvement of DES based on security features, cost of operation and the ease with which it could be implemented in computer software. AES can be easily implemented on simple processors and although it makes use of strong mathematical computations it applies transposition, substitution and the exclusive or shift operations. AES algorithm has got no room fro security flaws compared to DES as it has been established through research. On the other hand, longevity of AES is largely optimistic as well as difficult to understand. AES may apply an 18-bit, 192-bit, or 256-bit key which implies that the algorithm starts with a key which is twice the size of DES key and also has a room fro extending more. In this respect, as Shannon had observed, the ability of AES to double the length of the key would mean squaring the number of possible keys which are required to be tested in an attempt to break encryption. Therefore, AES would in future apply a longer key length with the advancing technology as it would be possible to double the current key size. AES differs with Shannon’s principle no. 2 as it is complex based on the fact tat complexity of implementation time is tolerable. Besides, AES has surpassed any other algorithm by being based on sound mathematics and ip to now, it has stood the test of time (Pfleeger, 2006). 3. In designing security principles, a lot needs to be considered with respect to the extent with which confidentiality, integrity and availability of data/information would be achieved or mitigated. Thus, as a basis, the person mandated with ensuring information security of an organization, should as a basis consider a number of issues. First consideration is the main objective or products of the organization. This would facilitate in giving an insight of what are the priorities to make with regard to information security. Second consideration would probably be the number of departments as well as the main tasks they carried out in them daily. What is the volume of data involved? Who are the personnel authorised to handle sensitive or non-sensitive data/information? Third consideration is the number, type and location of information security assets within the organization in general and departments in particular. Fourth aspect to consider would be establishing the type of risks the information assets are predisposed to with respect to interaction among employees, vendors, and customers. This would come in handy while instituting counter measures of the identified threats and vulnerabilities. In regard to confidentiality, it should only be authorized personnel that have access to information assets. As such, physical security controls e.g. lock and key and human security guards may be employed. Besides, software based access controls may be employed; for instance Role-Based Access Controls (RBAC) that specifies particular job functions on a need-to know basis. This would restrict the users in performing certain kind of task on the computer system. The most common RBAC model which is applied by NIST identifies various forms of RBAC –flat, hierarchical, constrained, and symmetric RBAC. To some extent, confidentiality is also referred o as information privacy or secrecy. Subsequently, access controls determines the level of integrity fro computer information/data. They stipulate who is responsible for creating, deleting or modifying information/data. Another security design principle which needs to be considered is availability of information/data. There should be no denial to any legitimate person fro any data at any particular time. With these considerations, among others, an information security manager would succeed in instituting an all comprehensive security design (Pfleeger, 2006). 4. To compensate clock drift, the concept of password token is implemented. Generally, password is generated randomly in such a way that it is hard to predict and up on reaching the receiving end, validation process (es) is/are initiated. New numbers are generated after every minute or so and each user is given access to displayed on the device which acts as a one-time period. Conversely, on the receiving side, a computer through an algorithm process is able to process a password by using the current time. A successful authentication happens if the password produced through the algorithm matches the one that was computed/ generated remotely. It happens that at some times devices that are generating passwords may be misaligned –this happens if one clock runs faster than the other. To keep this on check, it is done by the use of natural rules making the subject devices to account for any minor drift that may be experienced. The use of one-time password ensures that issues of mine trapping and spoofing are kept at bay. However, problems are encountered in case the user looses the device generating the password mostly if it falls in the wrong hands (attacker). The slice window can be used by the attackers to launch this attack into the system. To overcome the time slice experienced, amore sophisticated scheme is used –challenge and response device. Such a device works well by subjecting the user to an authentication process by means of a PIN –a random number sent by the remote system which is technically referred to as the ‘challenge’. It is important to note that the random number is what the user enters into the device. In order to complete this process, the remote device finally responds by will with another final number that the user transmits to the system. For each and every use, a user is prompted by the system for a new challenge. Nevertheless, it is practically clear that the issues of rogue remote hosts are not addressed (Pfleeger, 2006). 5. For a network security expert encryption is one of the tools that come in handy since it is able to provide limited access data as a whole at the same time compromising integrity, privacy, etc. To make a network secure data keeping in mind the high percentage of risk involved there’s the urge to combine both encryption and other available methods (controls). In a nutshell, link and end-to-end encryption can be used at the same time. The main reason being if you can have an encrypted system that has a loophole (flawed) it remains vulnerable in terms of its design, encryption main objective is to protect whatever data that is already encrypted. Encryption cannot protect against malicious codes of software like Trojans hence the importance of combining it with other controls that are readily available. When encryption is implemented between two existing hosts it is termed as link encryption while when implemented between two application/programs it is termed as end-to-end encryption. The main advantage by the above combination is that of duplication of security of the data involved is guaranteed with a very little negative impact. This can be explained by a scenario whereby a particular user doesn’t trust the quality of the link in use thereby applying end-to-end encryption as an added measure, while a system administrator can opt to use links encryption if he is concerned with the security of an end-to-end encryption control (Pfleeger, 2006) . References Gollmann, D. (2010). Computer security. WIREs Comp Stat, 2(9/10), 544–554. Pfleeger, C.P. (2006). Security in Computing, 4th ed. New Jersey: Prentice Hall. Read More