COMPUTER SECURITY So it basically says that if we use Facebook (as an example fo
ID: 3752253 • Letter: C
Question
COMPUTER SECURITY
So it basically says that if we use Facebook (as an example for our system), what are the good and bad implementaion example be with regard to the 14 security principles.
4) Consider any system which implements many security measures such as a banking system, social media platform, employee records for a company, etc. (The examples listed here are just that, examples, so consider bring original and choose a real or notional system type that you would actually like to work on.) Briefly describe (bullets are fine) what each of the 15 security principals (found in the Week 2 Lecture Slides) would look like if the system had good system design principles, and also what a poor or badly-designed implantation of that principle might look like. In a table, briefly illustrate: 1. Example: System-Facebook. Economy of Mechanism- For end user account security, Facebook relies primarily on 2-factor authentication, which is a relatively simple but effective security measure.Explanation / Answer
Economy of mechanism - Well designed Implementation example 2 factor authentication , keeping robots (scrapper, crawler) at bay using I am not a robot policy security check. Simple and small as possible as in encryption of security tokens in transit . Poorly designed implementation example dictionary based password guessing attack , using weak passwords , client browser security vulnerability, cross side scripting attacks. Fail safe Defaults- Well designed Implementation example Using IAM access control methods , creating user groups that give only very limited access to certain code base or certain database functionality.Access should be given by authorized sudo owner or admin who grants access to the end user based on certain signals received (eg: PingID, RSA Tokens ,residential address , zip code etc.) Poorly designed implementation example No user group control , giving access to the user just based on request without manager or senior manager approval of the use of the system , using weak passwords , giving lot of access to the user based on default logins. Complete Mediation -- Well designed Implementation example Access should be given by authorized sudo owner or admin who grants access to the end user based on certain signals received (eg: PingID, RSA Tokens ,residential address , zip code etc.). User should walk in person on the admin desk provide his batch or ID card for user group requests assignment. Poorly designed implementation example No validation checks on the user or employee requesting access leading to external or internal mediation attack. Allowing weak passwords to use Single Sign on functionality. Open design - Well designed Implementation example Design of a system should be independent of the security mechanism used . Use of Secure token vaults or segregating the data into different zones and using behind highly secured firewalls or layers that requires more than 2 factor authentication. Poorly designed implementation example Use open source SSL libraries or coding your own crypto libraries that is dependent on the libraries. Least Privilege Well designed Implementation example Access groups should be assigned based on timercontrol . If the given timestamp exceeds the one when it was granted the access groups should be revoked for that particular user. The system should reset itself when the timeframe has been exceeded. Poorly designed implementation example No time frame given for the requested user group which leads to passwords that could be guessed and attacked for resources or data. Separation Privilege Design Principle Well designed Implementation example Access should be given by authorized sudo owner or admin who grants access to the end user based on certain signals received or rule based mechanism (eg: PingID, RSA Tokens ,residential address , mobile number , One time password (Can be implemented using twilio)etc.). Poorly designed implementation example Granting user group access based on just authentication of the password with no inperson or mandatory rule based approval. Least Common Mechanism - Well designed Implementation example No sharing of access groups , tracking the user or employee based on IP address, geolocation(maxmind.com) , previous log history , fraud check, credit check etc. Access should be revoked if user found sharing the resources Poorly designed implementation example Sharing of user groups on multiple accounts, poor implementation of default behaviours. Psychological Acceptability Well designed Implementation example Not make resources more difficult to access than if the security mechanisms were not present - Using two factor authentication , external mobilebased authentication , showing only default set of view that a person has to minimal required to proceed further( fallback mechanism) Poorly designed implementation example Encrypting everything leading to wastage of resources and no fallbacks security methods(default behaviour) in place to support it. Layering - Well designed Implementation example Segregate the data into different classes (Class 1 (critical - SSN , customer name, Data of birth) , Class 2 (mobile number, credit card nuymber, alternative phone number ) , Class 3 (residential address, work address, credit score) , Class 4 (Customer other bank names , qualification ,work address ) , Class 5(hieght, weight of customer , race , color , sex) etc. Keeping Class 1 data in highly secured zones with differnt layers of security mechanism and reduces as we move on from Class 2 ... 5. Poorly designed implementation example No data segregation , storing all the customer data , confidential IP into one single database with no triggers (Onupdate, ondelete, onaccess) mechanisms in places, no firewall inbound ip control policy etc.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.