We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published bySarah Stokoe
Modified about 1 year ago
1 Copyright © 2014 M. E. Kabay. All rights reserved. The Parkerian Hexad CSH6 Chapter 3 “Toward a New Framework for Information Security” Donn B. Parker
2 Copyright © 2014 M. E. Kabay. All rights reserved. Topics The Classic Triad Parkerian Hexad Confidentiality Possession Integrity Authenticity Availability Utility Functions of INFOSEC Personnel CSH6 Ch 3
3 Copyright © 2014 M. E. Kabay. All rights reserved. The Classic Triad C – I – A “I would say that Vulnerability would be a frequently involved given the context of the incidents. Most incidents take advantage of how certain systems are designed, implemented, and/or how a system may be configured.”
4 Copyright © 2014 M. E. Kabay. All rights reserved. The Parkerian Hexad Protect the 6 atomic elements of INFOSEC: Confidentiality Possession or control Integrity Authenticity Availability Utility
5 Copyright © 2014 M. E. Kabay. All rights reserved. Why “Parkerian?”
6 Copyright © 2014 M. E. Kabay. All rights reserved. Confidentiality Restricting access to data Protecting against unauthorized disclosure of existence of data E.g., allowing industrial spy to deduce nature of clientele by looking at directory names Protecting against unauthorized disclosure of details of data E.g., allowing 13-yr old girl to examine HIV+ records in Florida clinic
7 Copyright © 2014 M. E. Kabay. All rights reserved. Possession Control over information Preventing physical contact with data E.g., case of thief who recorded ATM PINs by radio (but never looked at them) Preventing copying or unauthorized use of intellectual property E.g., violations by software pirates
8 Copyright © 2014 M. E. Kabay. All rights reserved. Confidentiality & Possession Losses Locating Disclosing Observing, monitoring, and acquiring Copying Taking or controlling Claiming ownership or custodianship Inferring Exposing to all of the other losses Endangering by exposing to any of the other losses Failure to engage in or to allow any of the other losses to occur when instructed to do so
9 Copyright © 2014 M. E. Kabay. All rights reserved. Integrity Internal consistency, validity, fitness for use Avoiding physical corruption E.g., database pointers trashed or data garbled Avoiding logical corruption E.g., inconsistencies between order header total sale & sum of costs of details
10 Copyright © 2014 M. E. Kabay. All rights reserved. Integrity: JIT Comment I would think that Integrity is most frequently involved in a security incident. If your software is tampered with or if your server is hacked into it automatically loses integrity even if nothing was changed. Integrity is very fragile.
11 Copyright © 2014 M. E. Kabay. All rights reserved. Authenticity Correspondence to intended meaning Avoiding nonsense E.g., part number field actually contains cost Avoiding fraud E.g., sender’s name on is changed to someone else’s
12 Copyright © 2014 M. E. Kabay. All rights reserved. Integrity & Authenticity Losses Insertion, use, or production of false or unacceptable data Modification, replacement, removal, appending, aggregating, separating, or reordering Misrepresentation Repudiation (rejecting as untrue) Misuse or failure to use as required
13 Copyright © 2014 M. E. Kabay. All rights reserved. Availability Timely access to data Avoid delays E.g., prevent system crashes & arrange for recovery plans Avoid inconvenience E.g., prevent mislabeling of files
14 Copyright © 2014 M. E. Kabay. All rights reserved. Availability: JIT Comment Availability seems to be the number one contender. A company many times are required to allow employees access into the company network and database so that they may be able to accomplish their everyday tasks. This is not for a lack of control by the company but out of production necessity. Therefore this scenario is most likely to be exploited due to availability.
15 Copyright © 2014 M. E. Kabay. All rights reserved. Utility Usefulness for specific purposes Avoid conversion to less useful form E.g., replacing dollar amounts by foreign currency equivalent Prevent impenetrable coding E.g., employee encrypts source code and "forgets" decryption key
16 Copyright © 2014 M. E. Kabay. All rights reserved. Availability & Utility Losses Destruction, damage, or contamination Denial, prolongation, acceleration, or delay in use or acquisition Movement or misplacement Conversion or obscuration
17 Copyright © 2014 M. E. Kabay. All rights reserved. Functions of INFOSEC Personnel (1) Avoid Deter Detect Prevent Mitigate Transfer Investigate Punish/reward Recover Correct Educate
18 Copyright © 2014 M. E. Kabay. All rights reserved. Functions of INFOSEC Personnel (2) Avoidance: e.g., prevent vulnerabilities and exposures Deterrence: make attack less likely Detection: quickly spot attack Prevention: prevent exploit Mitigation: reduce damage Transference: shift control for resolution
19 Copyright © 2014 M. E. Kabay. All rights reserved. Functions of INFOSEC Personnel (3) Investigation: characterize incident Sanctions & rewards: punish guilty, encourage effective responders Recovery: immediate response, repair Correction: never again Education: advance knowledge and teach others
20 Copyright © 2014 M. E. Kabay. All rights reserved. Now go and study
Application Design (2) Database – IS 240 Lecture #23 – M. E. Kabay, PhD, CISSP Dept of Computer Information Systems Norwich University
Managing Multi-User Databases (3) IS 240 – Database Management Lecture # Prof. M. E. Kabay, PhD, CISSP Norwich University
1-1/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00 INFORMATION WARFARE Part 1: Fundamentals Advanced Course in Engineering 2006 Cyber.
1 Copyright © 2007 M. E. Kabay. All rights reserved. PROTECTING DATA AT REST ISSA Hartford, CT M. E. Kabay, PhD, CISSP-ISSMP CTO & MSIA Program.
ATS The Art of Tech Support John Abbott College InfoSec for Tech Support -- Part 1 M. E. Kabay, PhD, CISSP Director of Education, NCSA President,
Assessing & Auditing Internet Usage Policies Presented to the Institute of Internal Auditors 13 April 2004 M. E. Kabay, PhD, CISSP Associate Professor.
Introduction to Network Security INFSCI 1075: Network Security Amir Masoumzadeh.
Legal Issues in Information Security Chapter 5. Objectives Understand U.S. Criminal Law Understand U.S. Criminal Law Understand State Laws Understand.
Security Threats and Protection Mechanisms. Learning Objectives Internet security issues (intellectual property rights, client, communication channels,
SECURITY AWARENESS. The Importance of Security Awareness Training Security Awareness Training provides the knowledge to protect information systems and.
Logical IT Security By Prashant Mali.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Computer Forensics. Introduction Topics to be covered –Defining Computer Forensics –Reasons for gathering evidence –Who uses Computer Forensics –Steps.
Copyright 2001 Brett J. Trout Security Concerns with e-Commerce Bretttrout.com.
E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 1 of 48.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
Security Presented by: Mark Davis & Shahein Moussavi.
« In Confidence » Putting in Place a Trade Secret Protection Program in an SME Najmia Rahimi Senior Program Officer, SMEs Division, World Intellectual.
E-Procurement for Improving Governance Session 5: Integrity Protection of eProcurement systems A World Bank live e-learning event addressing the design.
Testing Relational Database. Overview Once the design of a database system has been completed, the developers are ready to move into the implementation.
The Importance of Trade Secrets for Businesses Small and Medium Sized Enterprises (SMEs) Division World Intellectual Property Organization (WIPO)
Computer Vulnerabilities 1. 1.Overview 2. 2.Threats to Computer Systems 3. 3.How Hackers Work 4. 4.Using the Internet Securely 5. 5.How We Make It Easy.
WIPO ASIA SUB-REGIONAL WORKSHOP ON THE USE OF INTELLECTUAL PROPERTY (IP) BY SME SUPPORT INSTITUTIONS FOR THE PROMOTION OF COMPETITIVENESS OF SMEs IN THE.
Chapter 6: Integrity and Security Domain Constraints Referential Integrity Assertions Triggers Security Authorization Authorization in SQL.
An Overview of Computer and Network Security Nick Feamster CS 6262 Spring 2009.
McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin Copyright © 2008 The McGraw-Hill Companies, Inc.
Md. Kamrul Hasan Assistant Professor and Chairman Computer and Communication Engineering Dept. Network Security.
A Business-Oriented Overview of IP for Law and Management Students Geneva, May 29-31, 2007 Small and Medium-Sized Enterprises (SMEs) Division World Intellectual.
Network Security Protecting An Organizations Network.
© 2016 SlidePlayer.com Inc. All rights reserved.