The module for this lesson is still under development. Please contact us if you have any questions.

 

Security Trade-offs: “You can’t have your cake and eat it too!”

 

Summary:

Security comes with a price. The price can be the cost associated with the development or integration of the control itself (for example, the cost of a firewall) or it could be price in terms of the compromises the users have to make to be secure (i.e. time and effort spent in password-based systems). When we want to incorporate security in information systems and information, we need to consider:

  1. What are the risks if we do not employ security controls?
  2. What are the costs (in terms of resources spent and compromises in user experiences)?

Once we analyze answers to these questions, we have to consider whether the risks outweigh the costs and incorporate only security controls which are cost-effective. In designing security controls, we also need to consider trade-offs in implementation of the controls and compromises to effortless user experience. This is especially a concern when we consider providing data to the user while simultaneously protecting the confidentiality, integrity, and availability of the data.

Description:

One important concept in computer security is the CIA model of information assurance. Each of the letters in CIA stands for a different concept.
These are:

  • Confidentiality: The protection of information from unauthorized access – in other words, ensuring that secrets stay secret.
  • Integrity: The protection of the validity of the data – in other words, ensuring that data reflects the real world accurately.
  • Availability:Ensuring that authorized parties are able to access the information as per their need.

 

Risk & Example

The CIA principles are often at odds with one another. You can think of the CIA model as a three-legged stool on which is perched a ball (security). It takes a careful balance of all three principals to achieve the exact level of security we need for our particular endeavor. If any one leg is lacking, the ball will fall from the stool. Furthermore, the legs must all be an appropriate height in order to ensure that those who need access to the data can access it while those who don’t are kept from it.

Stool with Apple on top

Example of Occurrence:

As an example, take a simple dataset mapping users’ names (publicly available information) to their social security numbers (confidential information). In seeking confidentiality (hiding users social security numbers), we must restrict availability (by hiding the information and making it unavailable) or integrity (by disguising the information so it no longer reflects reality). In seeking integrity (ensuring that the database accurately reflects the real world), we must sacrifice confidentiality (by releasing the accurate information) or availability (by hiding it from users). In seeking greater availability, we must sacrifice either confidentiality (by making the unaltered information available to users) or integrity (by disguising the information such as it no longer reflect the real world).

How to Address Trade-Offs:

Check sensitivity of data: Review all data your program handles and ask yourself:

  • Can there be any harm if this data is disclosed? For example, if a program handles credit card information, this data needs to be protected from being revealed to unauthorized personnel, such as anyone other than the owner of the credit card.
  • Does disclosing this data cause any privacy violation? Consider a program that handles the age of employees. Although this information is not secret, this data needs to be protected, as the employee may consider this private information.

Data sensitivity level can vary. For example, while credit card information is considered highly sensitive, age information is considerably less sensitive.

Assess risk: Once you have reviewed sensitivity of data, think about the amount of impact it would have if the data is disclosed to unauthorized personnel. For example, the disclosure of credit card information is considered a high impact risk because financial loss can occur. On the other hand, the disclosure of age information may only impact the vanity of the employee, making it a lower impact risk. Obviously, highly sensitive data with more risk requires more attention for security controls.

Review design decisions: Consider how you will balance the need for protection with the need for accessibility. The following laboratory assignment demonstrates such trade off design decisions.

 

Laboratory Assignment:

In this assignment, you will create and populate a database of Student Information (including the student’s ID, name, and GPA). You will then display the information in three ways – demonstrating the tradeoffs associated with the CIA model.

STEP 1: Datafile

1.1 Download the data file.

STEP 2: Creating Dataset

2.1: Declare an array of strings long enough to store student names for each student (a total of 10).
2.2: Declare an array of strings of length 10 to store student IDs.
2.3: Declare an array of doubles long enough to store GPA for each student.

STEP 3: Reading dataset from file into arrays

3.1: Open the datafile, then ensure the file was opened correctly.
3.2: Construct a loop to read the data from the file and store it in arrays you created.
Note: You may use either a “for” loop (as we know how many iterations the operation requires) or “while” loop(if we wish to make code more generic).
3.3: Use pointer notation instead of array notation to store the values in the arrays
3.4: When you are done reading information from the file, close the file.

STEP 4: Demonstrating availability and integrity, at the expense of confidentiality

4.1: Display Number, Name, and GPA using pointer notation.

STEP 5: Demonstrating confidentiality and integrity, at the expense of availability

5.1: Display Name and Number of the student, leaving off GPA.

STEP 6: Demonstrating confidentiality and availability, at the expense of integrity.

To demonstrate step 6, you will have to modify values in the dataset while displaying, using a technique called fuzzing. This modifies the value stored in an unpredictable way, ensuring that the student’s confidentiality with regards to his or her GPA is respected. In this regard, you will have to make use of C++’s random number generator. To do this follow step 6.1 below:

6.1: Add the “cstdlib” and “ctime” librarires for this part of exercise.

Now, we need to seed the random number generator – all this means is that we set up the random numbers the program will generate. We want to ensure the numbers generated are sufficiently random; in this case, ensuring the seeds come out differently each time the program is run will suffice. To accomplish this, we will seed the generator with the number of seconds that have passed from an arbitrary point in the past (in this case, the Unix epoch, or 00:00:00 UTC on January 1, 1970), ensuring that each time the program has run , the seeds are different (unless the programs are started at precisely the same second – an acceptable risk in this instance). To do this follow step 6.2 below:

6.2: Add srand(time(0)) towards the beginning of the program.

Once the generator is seeded, you will need to generate noise specifically formatted for modifying GPA values. Follow the steps below:

6.3: Generate a random number integer using ( int randomInt = rand();) in your code.
6.4: Generate the noise value using the command (double noise = (randomInt%100)/100.0;) in your code.

In step 6.4, the command makes use of modulus division(%), which returns the remainder from the division of its two operands. According to the Quotient Remainder Theorem, the possible values of the remainder of a division operator where the divisor is n can only range from zero to n-1. The noise variable now contains a random decimal value ranging from 0.0 to 0.99. You are now ready to fuzz the GPA values.

Now, you need to randomly determine if we want to increase or decrease a particular GPA. To do this, make use of modulus division and follow the simple heuristic as shown in following steps below:

6.5: Check to see if the randomInt generated is even (randInt%2==0) or odd.
6.6: If randomInt generated is even (and the GPA you are adding the noise to is not subsquently greater than 4.0), then display the GPA with the added randomly generated noise. If either of those conditions are false, display the GPA using pointer notation with the random noise subtracted from the value.
Note – (You need a new random fuzz value for each student’s GPA when you are displaying it)

This simple precaution demonstrated in step 6 preserves student confidentiality (true GPA is not revealed) and availability (data is displayed for user) but at the expense of integrity(as displayed GPA is not true GPA).

*Copying and pasting programs may result in syntax errors and other inconsistencies. It is recommended you type each program.

 

Discussion Questions

  1. In your own words, explain each of the principals involved in the CIA model and give an example of each.
  2. In your own words, use a personal computing asset to give an example of each: confidentiality, integrity and availability violation for the asset.
  3. Complete the following Security Checklist similar to the one above for a mobile phone service provider, where the data is a customer’s name, mobile number, monthly billed amount, and billed credit card.

Security Checklist

Security Checklist
Data Sensitivity Impact Need for Confidentiality Need for Integrity Need for Availability
Customer’s Name          
Mobile Number          
Billed Amount          
Credit card billed          

 

 
Copyright © Towson University