Description OVERVIEW In this case study assignment, we will continue to investigate the Fundamenta ...

---

Description OVERVIEW In this case study assignment, we will continue to investigate the Fundamental Security Design Principles at work in a real-world scenario. Through the lens of privacy protection, we will analyze the following principles: Isolation Encapsulation Complete Mediation Minimize Trust Surface (Reluctance to trust) Trust relationships Trust relationships CASE STUDY SCENARIO The security team at your organization receives an alert from your organization’s cloud storage provider, DataStore. DataStore is a popular cloud-based data hosting service that your organization has contracted with to store public-facing information such as product briefs and advertisements in a “shared” platform with many other customers. Your organization has a policy against transferring confidential data to the cloud and has asked DataStore to alert your security team if they detect unusual data-transfer activities. DataStore noticed that an active connection transferred large numbers of files to their platform and promptly investigated. Upon closer inspection, the DataStore employee recognized that customer names and social security numbers were clearly displayed in the uploaded files. The security team, with the help of DataStore, discovered that an intern was responsible for the large data transfer. The intern accidentally saved confidential email attachments to a folder on his system that synchronized with DataStore. The intern apologized and stated that he would delete the data from the cloud storage location. However, the problematic files were available for public download for a short period of time.  PROMPT After reading the scenario above, complete the Fundamental Security Design Principles mapping table in the Case Study Template and answer the short response questions. You’ll notice that the Fundamental Security Design Principles listed differ from those presented in previous activities. In the cybersecurity trade, there are many different design principles and frameworks. Successful practitioners learn to work with many different (but conceptually similar) principles to achieve their security goals. Specifically, you must address the critical elementslisted below: Fundamental Security Design Principles Mapping: Fill in the table in the Module Three Case Study Template by completing the following steps for each control recommendation: Specify which Fundamental Security Design Principle applies to the control recommendations by marking the appropriate cells with an X. Indicate which security objective(confidentiality, availability, or integrity) applies best to the control recommendations. Explain your choices in one to two sentences with relevant justifications. Short Response Questions: Is it possible to use Data Store and maintain an isolated environment? Explain your reasoning. How could the organization have more effectively applied the principle of minimizing trust surface with Data Store to protect its confidential data? Explain your reasoning. How can the organization build a more security-aware culture from the top down to prevent mistakes before they happen? Explain your reasoning.  2 attachments Slide 1 of 2 attachment_1 attachment_1 attachment_2 attachment_2 UNFORMATTED ATTACHMENT PREVIEW CIA Triad and Fundamental Security Design Principles The terms listed below are essential in the field of cybersecurity and will be a topic of conversation and application throughout the program. It is therefore important for you to familiarize yourself with these terms and their definitions. Note that the CIA triad is sometimes referred to as the tenets of cybersecurity. The Fundamental Security Design Principles are sometimes called fundamental design principles, cybersecurity first principles, the cornerstone of cybersecurity, and so on. CIA Triad Information that is secure satisfies three main tenets, or properties, of information. If you can ensure these three tenets, you satisfy the requirements of secure information (Kim & Solomon, 2013). ? Confidentiality Only authorized users can view information (Kim & Solomon, 2013). ? Integrity Only authorized users can change information (Kim & Solomon, 2013). ? Availability Information is accessible by authorized users whenever they request the information (Kim & Solomon, 2013). Fundamental Security Design Principles These principles offer a balance between aspirational (and therefore unobtainable) “perfect security,” and the pragmatic need to get things done. Although each of the principles can powerfully affect security, the principles have their full effect only when used in concert and throughout an organization. These principles are a powerful mental tool for approaching security: one that doesn’t age out of usefulness or apply only to a few specific technologies and contexts; one that can be used for architecture, postmortem analysis, operations, and communication. The principles are ultimately only one piece in the security practitioner’s toolkit, but they are a flexible piece that will serve different roles for different people (Sons, Russell, & Jackson, 2017). ? Abstraction Removal of clutter. Only the needed information is provided for an object-oriented mentality. This is a way to allow adversaries to see only a minimal amount of information while securing other aspects of the model (Tjaden, 2015). ? Complete Mediation All accesses to objects should be checked to ensure that they are allowed (Bishop, 2003). ? Encapsulation The ability to only use a resource as it was designed to be used. This may mean that a piece of equipment is not being used maliciously or in a way that could be detrimental to the overall system (Tjaden, 2015). ? Fail-Safe Defaults / Fail Secure The theory that unless a subject is given explicit access to an object, it should be denied access to that object (Bishop, 2003). ? Information Hiding Users having an interface to interact with the system behind the scenes. The user should not be worried about the nuts and bolts behind the scenes, only the modes of access presented to them. This topic is also integrated with object-oriented programming (Tjaden, 2015). ? Isolation Individual processes or tasks running in their own space. This ensures that the processes will have enough resources to run and will not interfere with other processes running (Tjaden, 2015). ? Layering Having multiple forms of security. This can be from hardware or software, but it involves a series of checks and balances to make sure the entire system is secured from multiple perspectives (Tjaden, 2015). ? Least Astonishment (Psychological Acceptability) Security mechanisms should not make the resource more difficult to access than when security mechanisms were not present (Bishop, 2003). ? Least Privilege The assurance that an entity only has the minimal amount of privileges to perform their duties. There is no extension of privileges to senior people just because they are senior; if they don’t need the permissions to perform their normal everyday tasks, then they don’t receive higher privileges (Tjaden, 2015). ? Minimization of Implementation (Least Common Mechanism) Mechanisms used to access resources should not be shared (Bishop, 2003). ? Minimize Trust Surface (Reluctance to Trust) The ability to reduce the degree to which the user or a component depends on the reliability of another component (Bishop, 2003). ? Modularity The breaking down of larger tasks into smaller, more manageable tasks. This smaller task may be reused, and therefore the process can be repurposed time and time again (Tjaden, 2015). ? Open Design The security of a mechanism should not depend on the secrecy of its design or implementation (Bishop, 2003). ? Separation (of Domains) The division of power within a system. No one part of a system should have complete control over another part. There should always be a system of checks and balances that leverage the ability for parts of the system to work together (Tjaden, 2015). ? Simplicity (of Design) The straightforward layout of the product. The ability to reduce the learning curve when analyzing and understanding the hardware or software involved in the information system (Tjaden, 2015). ? Trust Relationships A logical connection that is established between directory domains so that the rights and privileges of users and devices in one domain are shared with the other (PC Magazine, 2018). ? Usability How easy hardware or software is to operate, especially for the first-time user. Considering how difficult applications and websites can be to navigate through, one would wish that all designers took usability into greater consideration than they do (PC Magazine, 2018). References Bishop, M. (2003). Computer security: Art and science. Boston, MA: Addison-Wesley Professional. Kim, D., & Solomon, M. G. (2013). Fundamentals of information systems security (2nd ed.). Burlington, MA: Jones & Bartlett Publishers. PC Magazine. (2018). Encyclopedia. Retrieved from https://www.pcmag.com/encyclopedia Sons, S., Russell, S., & Jackson, C. (2017). Security from first principles. Sebastopol, CA: O’Reilly Media, Inc. Tjaden, B. C. (2015). Appendix 1: Cybersecurity first principles. Retrieved from https://users.cs.jmu.edu/tjadenbc/Bootcamp/0-GenCyber-First-Principles.pdf CYB 200 Module Three Case Study Template After reviewing the scenario in the Module Three Case Study Activity Guidelines and Rubric document, fill in the table below by completing the following steps: 1. Specify which Fundamental Security Design Principle applies to the control recommendations by marking the appropriate cells with an X. 2. Indicate which security objective (confidentiality, availability, or integrity) applies best to the control recommendations. 3. Explain your choices in one to two sentences with relevant justifications. Control Recommendations Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. Monitor all traffic leaving the organization to detect any unauthorized use. Use an automated tool, such as host-based data loss prevention, to enforce access controls to data even when data is copied off a system. Isolation Encapsulation Complete Mediation Minimize Trust Surface (Reluctance to Trust) Trust Relationships Security Objective Alignment (CIA) Explain Your Choices (1–2 sentences) Control Recommendations Physically or logically segregated systems should be used to isolate higher-risk software that is required for business operations. Make sure that only the resources necessary to perform daily business tasks are assigned to the end users performing such tasks. Install application firewalls on critical servers to validate all traffic going in and out of the server. Require all remote login access and remote workers to authenticate to the network using multifactor authentication. Restrict cloud storage access to only the users authorized to have access, and include Isolation Encapsulation Complete Mediation Minimize Trust Surface (Reluctance to Trust) Trust Relationships Security Objective Alignment (CIA) Explain Your Choices (1–2 sentences) Control Recommendations authentication verification through the use of multi-factor authentication. Make sure all data-inmotion is encrypted. Set alerts for the security team when users log into the network after normal business hours, or when users access areas of the network that are unauthorized to them. Isolation Encapsulation Complete Mediation Minimize Trust Surface (Reluctance to Trust) Trust Relationships Security Objective Alignment (CIA) Explain Your Choices (1–2 sentences) After you have completed the table above, respond to the following short questions: 1. Is it possible to use DataStore and maintain an isolated environment? Explain your reasoning. 2. How could the organization have more effectively applied the principle of minimizing trust surface with DataStore to protect its confidential data? Explain your reasoning. 3. How can the organization build a more security-aware culture from the top down to prevent mistakes before they happen? Explain your reasoning. Purchase answer to see full attachment Explanation & Answer: 1 Page User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.