CSSLP Tutorial: Module 01,Part 01: Core Security Requirements

Security Requirement

The first part of this lesson discusses confidentiality issues as part of the core security requirements.  The second part then refers to the second part of the training triad associated with integrity.  The last part of this lesson is associated with availability and authentication.  This lesson introduces the student core security requirements, as working on coding , programming, and on maintenance of client computing systems and data files.

CSSLP Tutorial: Three States of DATA

There are States of Data: There’s  At Rest, In Process, In Transit.  The At Rest state is when data is perhaps stored or is simply sitting in the desktop and is currently not being used. The In Process is data that is being manipulated at the time.  It is a file where it is opened and being worked on or in process.  In transit data are those files where they are being sent from one system to another. So, when data for a file is in the process of moving between differing systems.  The main security requirements is affected by the three states that data can exist in.

 

CSSLP Tutorial: The C_I_A triad

The three main security requirements are referred to as the C_I_A triad: Confidentiality, Integrity, and Availability. When we think of confidentiality, there are issues of people hacking into the systems, hacking into the files and so we think of encryption to protect against hacking.  However, there are other forms of security technique and best practices that are more than just encryption.  We have to imagine looking at the data in their three different states and try to think of the best ways possible to maintain client confidentiality.

CSSLP Tutorial: Basic Best Practices Prevents Problems

There are several basic best practices when dealing with data, regardless of which state it is in. As a security technique, we will document how we will protect personally identifiable information (P.I.I.) Part of the job is to develop specific algorithms to protect them from either overt or covert attacks.  Sensitive information like FTPs,etc. should n’t be used TLS or SSL must be used for all transmittal of sensitive information.  There’s other best practices like masking, which is when you are putting in a password, that asterisks show up on the screen rather than the symbols and letters of the actual password.  Other issues to help prevent data compromise is to keep customer service representatives from seeing your information when the attack might be overt.  When the attack might be covert, then there’s a new kind of technology called steganography which embeds information in images or within a different message. Much like an early version of a Trojan Horse virus in the early 1990’s and 2000’s, the steganography technology can embed messages within messages.

CSSLP Tutorial: Confidentiality

In each of the three states: When data is at rest, in terms of confidentiality, it should be encrypted with no less than a AS250 bit encryption. When data is in process, there’s not a lot to do to protect it. As you are sitting there working on the data, it may still be encrypted on the hard drive, but then it has to be decrypted to get loaded into RAM while a rep is working on that data. While it is decrypted and in process, it is vulnerable. Then, it is re-crypted once the data has for storage by the rep.  Unfortunately, while it’s in process,  there’s not a whole lot that can be done to protect it except some essential best practices.. There are good clean desk practices however, to keep loss of confidentiality at bay. For example, make sure you keep your desk clean of any loose papers or any notes with passwords, etc.  Also, make sure that others can’t read your screen so that they don’t shoulder surf, if you have to leave your desk area  make sure your system is locked. Make sure that others can’t access your desktop, either the physical one or the electronic version.  When data is in transit, all data must use a secure transition protocol like SSL or TSL or IP set for the data system while it’s moving between systems.

CSSLP Tutorial: Integrity

In each of the three states: The second tenet for the C_I_A triad is integrity. Security requirements for this is protection against modification of the system or the files found in the system. We want to make sure that the system performs as it should. Integrity helps to make sure that the internal and external values are consistent. 

When the data is at rest and is available as published software, we want to provide the user with a message digest so the user can validate how complete the software is.  When the data is in process and we allow user input, we want to be careful. Anytime user input is allowed, then code injection could be a huge problem.  We want to ensure accuracy and reliability so the data doesn’t get modified, even by the user.  When the data is in transit, we want to make sure that the data hasn’t been modified.  So, we might protect ourselves  by CRCs, Checksums, Hashes, MACs. 

For example, other methods for maintaining data integrity could be associated with email messages where we have required  digital signatures.  We might document requirements such as input validation used on forms when downloading software.  Or, other examples could be that anything we publish may provide a message digest to the user to guarantee that the program (or file)  they’ve downloaded hasn’t been modified. 

CSSLP Tutorial: Availability

In each of the three states:  So, how can we guarantee that this product is available to meet the client’s needs? Have we included in the service level agreement (SLA) a commitment of 99.999% of uptime to the client?  For whatever reasons, if our product doesn’t meet the customer’s needs or not meet the uptime, how will we compensate the client? 

Another metric for providing timely access to resources is using MTD/RTO/ RTP.  One metric measures how much time might be lost or compromised while data is being restored. So the MTD is a metric where we are calculating between mean time failure and mean time repair and then assess this metric to see if the process is rapid, secure enough to support the client’s needs or not.  Either way certainly critical to restore the system/ program/ file,etc within a 30 minute window of time so as to maintain availability of product.

Yet another metric which can be used to assess tolerance for other losses. Recovery Point Objectives (RPO) demonstrates what the client will tolerate as data loss. Other questions that could be answered are: how long can the customer tolerate being without their system and/ or software program; how are you going to meet the availability requirement per the SLA; what are you going to do in terms of providing support; and how many users can be allowed to work using the software at the same time?  How are you going to repeat the scenario, assuming success in the coding and availability security measures.  There are several types of questions associated with availability requirements. 

CSSLP Tutorial: The C_I_A triad includes confidentiality, integrity and availability.

There are several states that data can be found in.  The data can be at rest, in process, or in transit. Among the three states there are security requirements that you should meet in order to meet the customer’s needs.  So, there’s some general best practices and then there’s more specific requirements for meeting specific points of measure. These various metrics can be used for measuring what happens to data to maintain confidentiality and minimize data compromise.  They can be used to maintain integrity and keep a reduction of modifications of the software or the file.  Availability also should be maintained by concentrating efforts of keeping the program and/ or product up and running for many to access simultaneously and have a reduction of lost time or lost accessibility.