Free Computer support in
the forums!

 Navigation:
Socket Home
 Forums
 Security News
 Tools / Links
FAQ
Security Tutorials
A+ Notes
MCSE Notes
CCNA Notes
 My Computer
Rants
Gaming
 The Store  
 Contact CS
 Privacy
Email
Affiliates:
ITS Alaska
 Weblinks2u
 Tech Junkeez

 
 The Security Principles:
The Security Principles represent the foundation of good information security. These principles can be found throughout modern society, including electronic commerce and banking. There are a varying number of security principles depending on who you ask. I've decided to list those that, in my experience, most people tend to agree on.

Authentication

Authentication is the process of ensuring someone's (or something's) identity. In most cases, claiming to be someone is not enough - you must also prove it.

Perhaps the most commonly used authentication method is the combination of user name and password. When most people log into a Windows or POSIX (*nix) system, they are prompted to identify themselves (user name), and then they're prompted to provide something only they should know (a password).

More complex methods of authentication exist and usually combine two or more elements. The elements, or authentication factors, can include something you know, such as a password; something you have, such as an access card; or something you are, such as a fingerprint.

Automated Teller Machines use two-factor authentication: something you have (the ATM card) and something you know (the PIN).

Authorization

Authorization is the authority to access an item or location. While authentication is "who you are", authorization is "what you are allowed to do".

Consider an example where a sales person has a login to the corporate network. This person has a valid user account and can authenticate with the network, but that does not mean they have full control over the network. For example, the sales person can read from and write to sales documents (because this person is authorized to do so), but cannot add new users (a role normally reserved for system administrators) because the sales person is not authorized to do so.

Confidentiality

This is an easy concept for most people to understand - it's the act of keeping secrets. Confidentiality is the process of keeping information from being revealed to entities not intended to receive the information.

Encryption is a common and effective way (if used correctly) to provide confidentiality of information. AES and Blowfish are examples of legitimate encryption algorithms that provide confidentiality.

Data Integrity

It is often important to know when data has been corrupted. Data integrity is the process of ensuring information has not been improperly altered, whether the change was accidental or intentional.

Consider the example of a person doing an online transaction with a bank. The person sends a message to the bank intending to transfer some money from checking to savings, but the message is maliciously altered in transit, causing the money to be transferred to another account.

Auditing

Auditing is a way to know who did what, and when. Audit trails are nearly always kept in electronic logs, and are useful for tracing the steps of an intruder or tracking down the cause of an unintentional system failure.

Non-Repudiation

It can be useful, especially in banking and commerce, to prove someone ordered something (such as a product or bank transfer). In data security, non-repudiation means an entity cannot plausibly deny sending a piece of data.

This is often accomplished with digital signatures, which makes it difficult for some to sign a document and later deny having signed it.

Availability

While a large part of security is keeping unauthorized entities away from sensitive systems and information, it is equally important to ensure authorized entities can access systems and information as needed.
 

©2004 Jason Deckard.