Cybersecurity Design Principles
This material was developed with funding
from the National Science Foundation
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
Restart
Next
Back
Usability
Minimization
Principles
Authorization
Principles
Open
Design
Good Design
Principles
Trust
Relationships
Introduction
You are a software developer. Your ultimate goal is to create a design that does the task intended, is efficient, effective and usable. Use security design principles to help you achieve the main tenets of information security—confidentiality, integrity, and availability of the system, sub-system, and system data.
Open Design
Least Astonishment
(Psychological Acceptability)
Minimization Principles
Quiz
Usability
Minimize Trust Surface
(Reluctance to Trust)
Good Design Principles
Trust Relationships
Authorization Principles
Modularity subdivides a system into smaller parts or modules that can be independently created and then used in several systems. The development of security functions as separate, protected modules.
Modularity
Trust Boundaries
Simplicity of Design
Layering
When you design a security application or program, keep it as simple and small as possible.
Cybersecurity Design Principles
Simplicity of Design (Economy of Mechanism)
Just keep it simple #$!!^%!
The door lock design on the top is interesting, but it adds too much complexity.
Data
Perimeter
Layering uses overlapping protection approaches to address the people, technology, and operational aspects of information systems.
An example of layering is Defense-in-Depth, a security approach that involves a series of security mechanisms so that if one fails, others will be in place.
Network
Policies,
Procedures & Awareness
Physical
Host
App
Layering
(Defense in Depth)
Separation
Users in a child domain cannot see or manage records in a parent domain.
Domain B: Database Chicago
Jaylyn
Domain C: Database Houston
Cam
Use a practice in which multiple privilege attributes are required to achieve access to a restricted resource. Data and/or systems are separated into logically-defined domains, and communication between domains must be authorized.
Jake
Hector
Liz
Domain D: Database Dallas
Users in Domain A, the parent domain can
see and manage records in Domain B, C, and D (the child domains)
Least Privilege
Fail Safe Defaults/Fail Secure
Complete Mediation
All access to objects needs to be checked to ensure that they are allowed. Whenever a subject attempts to read an object, the operating system should mediate the action. First it determines if the subject can read the object. If so, it provides the resources for the read to occur.
Access
Allowed
Directory
General Employee Role
Sales Role
Email
UNIX
IT Role
Salesforce
Mainframe
Bob will ensure that every process and every user of the system should operate using the least set of privileges necessary to perform the task.
Corporate
Network
Any user, program, or process should have only the bare minimum privileges necessary to perform the assigned functions based on a role.
Payroll
Customer
Database
Click each user to see
his/her role and what
privileges are needed
Accounting
Role
When a system fails, system access attempts also fail. The system will fail safe (NOT allow users to access protected resources).
The system is
currently down!
Please try later
Fail Safe Defaults/
Fail Secure
Encapsulation
Isolation
Road Properties
Click to see the encapsulated properties
In object-oriented programming (OOP), a class definition encapsulates all data and functions that operate on the data.
If an application maintains information on streets and roads for mapping, the database will encapsulate and define properties of the streets and roads for processing. Properties like speed limit, direction, lanes, and congestion are encapsulated for real-time processing. The application does not need to know about other properties like how the road is constructed, the types of vehicles using ths street, or other physical properties.
Street Name
Encapsulation
Direction
Usability is all about user-centered design. Both the design and development processes are focused around the perspective of the application user.
Avoid abrupt and major changes of the interface view when it is not necessary to maximize the stability of the interface. Using a default interface pattern helps improve the stability of interfaces that show pieces of correlated content and allow the user to make choices
Alice’s
Public Key
Alice’s
Private Key
Original Plaintext
The design of a security mechanism should be open and not depend on the secrecy of the design details or implementation.
For example, RSA is an asymmetric encryption algorithm based on the principle that it is easy to multiply large numbers, but factoring large numbers is difficult. The public key consists of two numbers. One number is the result of multiplying two large prime numbers. Although the algorithm is very secure, the design is well-known and open to the community. This principle ensure compatibility and makes update and revisions much easier.
Open Design
RSA Decipher
Ciphertext
RSA Encipher
A component of a system should behave in a way that most users will expect it to behave and it should not astonish or surprise users. When Microsoft removed the Start button from its operating system, users were surprised. Microsoft ended up releasing an updated version of Windows and added the Start button back.
No start button
Least Astonishment
(Psychological Acceptability)
Database Server
Trust Boundary
Email Server
Developers and security specialists should build applications, systems, and networks that match ordinary users’ sociological expectations of trust in terms of identity, authentication, service level agreements, and privacy. Developers must maintain a Trust Boundary. The issues in establishing trust include the following:Authenticating the other endpoint to prevent masqueradingEnsuring the security of the communication to maintain the confidentiality of the dataPreventing data tampering to maintain the integrity of the data
Trust Relationships
Web Server
Application Server
Password
Assume that the environment in which a system resides is insecure. Trust, whether it is in external systems, code, or people should always be held closely and never loosely given.
When building an application, anticipate malformed input from unknown users. Even if the users are known, they are susceptible to social engineering attacks making them potential threats to a system.
No system is 100% secure, so the interface between two systems should be secured. Minimizing the trust in other systems can increase the security of an application.
Username
Bob
Access Granted
The design does not depend on the secrecy of the design details
The user interface responds as expected
Quiz 1 of 10
Software that users learn quickly and is easy to use
Element
with Audio
HTML
Least Astonishment
Minimize Trust Surface
Great Job!
Boundaries exist to prevent masquerading and to maintain confidentiality and integrity
Drag each term to its appropriate description.
Clear distinctions between privilege levels exist (i.e., authentication AND authorization)
Isolation
Isolation prevents disclosure or tampering with critical resources (data, processes, etc.).
For example, processes run on a computer. Each process can only access certain address space (memory). If there is a word processor, a point of sales program, and a database program all running on a system at the same time, process isolation ensures that each application cannot influence or corrupt the others.
multiple privilege attributes are required to achieve access to a restricted resource
Fail Safe Defaults
Protection is provided by having a collection of procedures in a domain of its own
access decisions based on permission rather than exclusion
every access is checked against the access control setting to ensure that access is allowed
Quiz 2 of 10
privileges granted to perform the required task
Quiz 3 of 10
What design principle is illustrated?
Simplicity of design
That’s correct!
A system should be subdivided into smaller parts that can be independently created and then used in several systems.
Close
That’s correct!
Quiz 4 of 10
Least privilege
Psychological Acceptability
Bob works at a small company. When he enters the building, he has access to all rooms. Which principles of security is the company violating with this practice?
Select all possible answers.
Complete mediation
Fail Secure
Quiz 5 of 10
What design principle does the lock pictured above violate?
Quiz 6 of 10
Bob designed an administrative interface that grants access to production management networks, checks for administrative user authorization, and logs all access. Which of the following best describe the security principle that Bob has employed?
Defense in depth
“The security of a mechanism should not depend on the secrecy of its design or implementation” describes which of the following principles?
Quiz 7 of 10
This security principle maintains confidentiality, integrity and availability by defaulting to a secure state and unless a user is given explicit access to an object, that user is denied access to that object.
Quiz 8 of 10
Quiz 9 of 10
Bob is verifying that all pages and resources by default in his web application require authentication except those specifically intended to be public. What design principle does this describe?
Drag the cybersecurity principle into its proper category.
Quiz 10 of 10
Trust
Boundaries
Restarting
Stuxnet